Migrate to generic config

With release 5.0.0 there are so many deprecations and breaking changes
that it is probably a good way to assist the users with values migration
before breaking their environments.

This adds another template file that doesn't render anything but ensures
the removal of dropped or deprecated settings from customized values
files.

For when it is necessary, this check can be disabled via new setting
`checkDeprecation`.

Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/269
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: wxiaoguang <wxiaoguang@noreply.gitea.io>
Co-authored-by: justusbunsi <justusbunsi@noreply.gitea.io>
Co-committed-by: justusbunsi <justusbunsi@noreply.gitea.io>

.drone.yml

@@ -1,5 +1,6 @@
 ---
 kind: pipeline
+type: docker
 name: lint
 
 platform:
@@ -7,12 +8,26 @@ platform:
   arch: arm64
 
 steps:
-- name: lint
+- name: helm lint
   pull: always
   image: alpine:3.13
   commands:
-    - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
+  - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
-    - helm lint
+  - helm lint
+
+- name: helm template
+  pull: always
+  image: alpine:3.13
+  commands:
+  - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
+  - helm dependency update
+  - helm template --debug gitea-helm .
+
+- name: markdown lint
+  pull: always
+  image: docker.io/volkerraschek/markdownlint:latest
+  commands:
+  - markdownlint *.md
 
 - name: discord
   pull: always
@@ -29,6 +44,7 @@ steps:
 
 ---
 kind: pipeline
+type: docker
 name: release-version
 
 platform:
@@ -37,33 +53,33 @@ platform:
 
 trigger:
   event:
-    - tag
+  - tag
 
 steps:
-  - name: generate-chart
+- name: generate-chart
-    pull: always
+  pull: always
-    image: alpine:3.13
+  image: alpine:3.13
-    commands:
+  commands:
-      - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
+    - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
-      - apk add --no-cache curl
+    - apk add --no-cache curl
-      - helm dependency update
+    - helm dependency update
-      - helm package --version "${DRONE_TAG##v}" ./
+    - helm package --version "${DRONE_TAG##v}" ./
-      - mkdir gitea
+    - mkdir gitea
-      - mv gitea*.tgz gitea/
+    - mv gitea*.tgz gitea/
-      - curl -L -o gitea/index.yaml https://dl.gitea.io/charts/index.yaml
+    - curl -L -o gitea/index.yaml https://dl.gitea.io/charts/index.yaml
-      - helm repo index gitea/ --url https://dl.gitea.io/charts --merge gitea/index.yaml
+    - helm repo index gitea/ --url https://dl.gitea.io/charts --merge gitea/index.yaml
 
-  - name: upload-chart
+- name: upload-chart
-    pull: always
+  pull: always
-    image: plugins/s3:latest
+  image: plugins/s3:latest
-    settings:
+  settings:
-      bucket: gitea-artifacts
+    bucket: gitea-artifacts
-      endpoint: https://storage.gitea.io
+    endpoint: https://storage.gitea.io
-      path_style: true
+    path_style: true
-      access_key:
+    access_key:
-        from_secret: aws_access_key_id
+      from_secret: aws_access_key_id
-      secret_key:
+    secret_key:
-        from_secret: aws_secret_access_key
+      from_secret: aws_secret_access_key
-      source: gitea/*
+    source: gitea/*
-      target: /charts
+    target: /charts
-      strip_prefix: gitea/
+    strip_prefix: gitea/

.markdownlint.yaml

@@ -0,0 +1,151 @@
+# markdownlint YAML configuration
+# https://github.com/DavidAnson/markdownlint/blob/main/schema/.markdownlint.yaml
+
+# Default state for all rules
+default: true
+
+# Path to configuration file to extend
+extends: null
+
+# MD003/heading-style/header-style - Heading style
+MD003:
+  # Heading style
+  style: "atx"
+
+# MD004/ul-style - Unordered list style
+MD004:
+  style: "dash"
+
+# MD007/ul-indent - Unordered list indentation
+MD007:
+  # Spaces for indent
+  indent: 2
+  # Whether to indent the first level of the list
+  start_indented: false
+
+# MD009/no-trailing-spaces - Trailing spaces
+MD009:
+  # Spaces for line break
+  br_spaces: 2
+  # Allow spaces for empty lines in list items
+  list_item_empty_lines: false
+  # Include unnecessary breaks
+  strict: false
+
+# MD010/no-hard-tabs - Hard tabs
+MD010:
+  # Include code blocks
+  code_blocks: true
+
+# MD012/no-multiple-blanks - Multiple consecutive blank lines
+MD012:
+  # Consecutive blank lines
+  maximum: 1
+
+# MD013/line-length - Line length
+MD013:
+  # Number of characters
+  line_length: 80
+  # Number of characters for headings
+  heading_line_length: 80
+  # Number of characters for code blocks
+  code_block_line_length: 80
+  # Include code blocks
+  code_blocks: false
+  # Include tables
+  tables: false
+  # Include headings
+  headings: true
+  # Include headings
+  headers: true
+  # Strict length checking
+  strict: false
+  # Stern length checking
+  stern: false
+
+# MD022/blanks-around-headings/blanks-around-headers - Headings should be surrounded by blank lines
+MD022:
+  # Blank lines above heading
+  lines_above: 1
+  # Blank lines below heading
+  lines_below: 1
+
+# MD024/no-duplicate-heading/no-duplicate-header - Multiple headings with the same content
+MD024:
+  # Only check sibling headings
+  allow_different_nesting: true
+
+# MD025/single-title/single-h1 - Multiple top-level headings in the same document
+MD025:
+  # Heading level
+  level: 1
+  # RegExp for matching title in front matter
+  front_matter_title: "^\\s*title\\s*[:=]"
+
+# MD026/no-trailing-punctuation - Trailing punctuation in heading
+MD026:
+  # Punctuation characters
+  punctuation: ".,;:!。，；：！"
+
+# MD029/ol-prefix - Ordered list item prefix
+MD029:
+  # List style
+  style: "one_or_ordered"
+
+# MD030/list-marker-space - Spaces after list markers
+MD030:
+  # Spaces for single-line unordered list items
+  ul_single: 1
+  # Spaces for single-line ordered list items
+  ol_single: 1
+  # Spaces for multi-line unordered list items
+  ul_multi: 1
+  # Spaces for multi-line ordered list items
+  ol_multi: 1
+
+# MD033/no-inline-html - Inline HTML
+MD033:
+  # Allowed elements
+  allowed_elements: []
+
+# MD035/hr-style - Horizontal rule style
+MD035:
+  # Horizontal rule style
+  style: "---"
+
+# MD036/no-emphasis-as-heading/no-emphasis-as-header - Emphasis used instead of a heading
+MD036:
+  # Punctuation characters
+  punctuation: ".,;:!?。，；：！？"
+
+# MD041/first-line-heading/first-line-h1 - First line in a file should be a top-level heading
+MD041:
+  # Heading level
+  level: 1
+  # RegExp for matching title in front matter
+  front_matter_title: "^\\s*title\\s*[:=]"
+
+# MD044/proper-names - Proper names should have the correct capitalization
+MD044:
+  # List of proper names
+  names:
+  - Gitea
+  - PostgreSQL
+  - MariaDB
+  - MySQL
+  - Memcached
+  - Prometheus
+  - Git
+  - GitOps
+  # Include code blocks
+  code_blocks: false
+
+# MD046/code-block-style - Code block style
+MD046:
+  # Block style
+  style: "fenced"
+
+# MD048/code-fence-style - Code fence style
+MD048:
+  # Code fence syle
+  style: "backtick"

Chart.yaml

@@ -3,7 +3,7 @@ name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
-appVersion: 1.14.1
+appVersion: 1.15.4
 icon: https://docs.gitea.io/images/gitea.png
 
 keywords:
@@ -26,21 +26,35 @@ maintainers:
     email: konrad.lother@novum-rgi.de
   - name: Lucas Hahn
     email: lucas.hahn@novum-rgi.de
+  - name: Steven Kriegler
+    email: sk.bunsenbrenner@gmail.com
 
 dependencies:
 - name: memcached
   repository: https://charts.bitnami.com/bitnami
-  version: 4.2.20
+  version: 5.9.0
-  condition: gitea.cache.builtIn.enabled
+  condition: memcached.enabled
+- name: redis-cluster
+  repository: https://charts.bitnami.com/bitnami
+  version: 6.2.3
+  condition: redis-cluster.enabled
+- name: redis
+  repository: https://charts.bitnami.com/bitnami
+  version: 14.6.6
+  condition: redis.enabled
 - name: mysql
   repository: https://charts.bitnami.com/bitnami
   version: 6.14.10
-  condition: gitea.database.builtIn.mysql.enabled
+  condition: mysql.enabled
 - name: postgresql
   repository: https://charts.bitnami.com/bitnami
-  version: 9.7.2
+  version: 10.3.17
-  condition: gitea.database.builtIn.postgresql.enabled
+  condition: postgresql.enabled
+- name: postgresql-ha
+  repository: https://charts.bitnami.com/bitnami
+  version: 7.7.3
+  condition: postgresql-ha.enabled
 - name: mariadb
   repository: https://charts.bitnami.com/bitnami
-  version: 8.0.0
+  version: 9.3.6
-  condition: gitea.database.builtIn.mariadb.enabled
+  condition: mariadb.enabled

templates/NOTES.txt

@@ -1,7 +1,9 @@
 1. Get the application URL by running these commands:
 {{- if .Values.ingress.enabled }}
 {{- range $host := .Values.ingress.hosts }}
-  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host }}/
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
 {{- end }}
 {{- else if contains "NodePort" .Values.service.http.type }}
   export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "gitea.fullname" . }})

templates/gitea/config.yaml

@@ -1,148 +1,128 @@
 apiVersion: v1
 kind: Secret
+metadata:
+  name: {{ include "gitea.fullname" . }}-inline-config
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  {{- include "gitea.inline_configuration" . | nindent 2 }}
+---
+apiVersion: v1
+kind: Secret
 metadata:
   name: {{ include "gitea.fullname" . }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 stringData:
-  app.ini: |-
+  config_environment.sh: |-
-    {{- if not (hasKey .Values.gitea.config "cache") -}}
+    #!/usr/bin/env bash
-    {{- $_ := set .Values.gitea.config "cache" dict -}}
+    set -euo pipefail
-    {{- end -}}
 
-    {{- if not (hasKey .Values.gitea.config "server") -}}
+    function env2ini::log() {
-    {{- $_ := set .Values.gitea.config "server" dict -}}
+      printf "${1}\n"
-    {{- end -}}
+    }
 
-    {{- if not (hasKey .Values.gitea.config "metrics") -}}
+    function env2ini::read_config_to_env() {
-    {{- $_ := set .Values.gitea.config "metrics" dict -}}
+      local section="${1}"
-    {{- end -}}
+      local line="${2}"
 
-    {{- if not (hasKey .Values.gitea.config "database") -}}
+      if [[ -z "${line}" ]]; then
-    {{- $_ := set .Values.gitea.config "database" dict -}}
+        # skip empty line
-    {{- end -}}
+        return
+      fi
+      
+      # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
+      local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
 
-    {{- if not (hasKey .Values.gitea.config "security") -}}
+      if [[ -z "${setting}" ]]; then
-    {{- $_ := set .Values.gitea.config "security" dict -}}
+        env2ini::log '  ! invalid setting'
-    {{- end -}}
+        exit 1
+      fi
 
-    {{- if not .Values.gitea.config.repository -}}
+      local value=''
-    {{- $_ := set .Values.gitea.config "repository" dict -}}
+      local regex="^${setting}(\s*)=(\s*)(.*)"
-    {{- end -}}
+      if [[ $line =~ $regex ]]; then
+        value="${BASH_REMATCH[3]}"
+      else
+        env2ini::log '  ! invalid setting'
+        exit 1
+      fi
 
-    {{- /* repository default settings */ -}}
+      env2ini::log "    + '${setting}'"
-    {{- if not .Values.gitea.config.repository.ROOT -}}
-    {{- $_ := set .Values.gitea.config.repository "ROOT" "/data/git/gitea-repositories" -}}
-    {{- end -}}
 
-    {{- /* security default settings */ -}}
+      if [[ -z "${section}" ]]; then
-    {{- if not .Values.gitea.config.security.INSTALL_LOCK -}}
+        export "ENV_TO_INI____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
-    {{- $_ := set .Values.gitea.config.security "INSTALL_LOCK" "true" -}}
+        return
-    {{- end -}}
+      fi
 
-    {{- /* server default settings */ -}}
+      local masked_section="${section//./_0X2E_}"                            # '//' instructs to replace all matches
-    {{- if not (hasKey .Values.gitea.config.server "HTTP_PORT") -}}
+      masked_section="${masked_section//-/_0X2D_}"
-    {{- $_ := set .Values.gitea.config.server "HTTP_PORT" .Values.service.http.port -}}
-    {{- end -}}
-    {{- if not .Values.gitea.config.server.PROTOCOL -}}
-    {{- $_ := set .Values.gitea.config.server "PROTOCOL" "http" -}}
-    {{- end -}}
-    {{- if not (.Values.gitea.config.server.DOMAIN) -}}
-    {{- if gt (len .Values.ingress.hosts) 0 -}}
-    {{- $_ := set .Values.gitea.config.server "DOMAIN" (index .Values.ingress.hosts 0) -}}
-    {{- else -}}
-    {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}}
-    {{- end -}}
-    {{- end -}}
-    {{- if not .Values.gitea.config.server.ROOT_URL -}}
-    {{- if .Values.ingress.enabled -}}
-    {{- if gt (len .Values.ingress.tls) 0 -}}
-    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index (index .Values.ingress.tls 0).hosts 0)) -}}
-    {{- else -}}
-    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index .Values.ingress.hosts 0)) -}}
-    {{- end -}}
-    {{- else -}}
-    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL .Values.gitea.config.server.DOMAIN) -}}
-    {{- end -}}
-    {{- end -}}
-    {{- if not .Values.gitea.config.server.SSH_DOMAIN -}}
-    {{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}}
-    {{- end -}}
-    {{- if not .Values.gitea.config.server.SSH_PORT -}}
-    {{- $_ := set .Values.gitea.config.server "SSH_PORT" .Values.service.ssh.port -}}
-    {{- end -}}
-    {{- if not (hasKey .Values.gitea.config.server "SSH_LISTEN_PORT") -}}
-    {{- if not .Values.image.rootless -}}
-    {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" .Values.gitea.config.server.SSH_PORT -}}
-    {{- else -}}
-    {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" "2222" -}}
-    {{- end -}}
-    {{- end -}}
-    {{- if not (hasKey .Values.gitea.config.server "START_SSH_SERVER") -}}
-    {{- if .Values.image.rootless -}}
-    {{- $_ := set .Values.gitea.config.server "START_SSH_SERVER" "true" -}}
-    {{- end -}}
-    {{- end -}}
-    {{- if not (hasKey .Values.gitea.config.server "APP_DATA_PATH") -}}
-    {{- $_ := set .Values.gitea.config.server "APP_DATA_PATH" "/data" -}}
-    {{- end -}}
-    {{- if not (hasKey .Values.gitea.config.server "ENABLE_PPROF") -}}
-    {{- $_ := set .Values.gitea.config.server "ENABLE_PPROF" false -}}
-    {{- end -}}
 
-    {{- /* metrics default settings */ -}}
+      export "ENV_TO_INI__${masked_section^^}__${setting^^}=${value}"        # '^^' makes the variable content uppercase
-    {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}}
+    }
-    {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
-    {{- end -}}
 
-    {{- /* database default settings */ -}}
+    function env2ini::process_config_file() {
-    {{- if .Values.gitea.database.builtIn.postgresql.enabled -}}
+      local config_file="${1}"
-    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "postgres" -}}
+      local section="$(basename "${config_file}")"
-    {{- if not (.Values.gitea.config.database.HOST) -}}
-    {{- $_ := set .Values.gitea.config.database "HOST"      (include "postgresql.dns" .) -}}
-    {{- end -}}
-    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.postgresql.global.postgresql.postgresqlDatabase -}}
-    {{- $_ := set .Values.gitea.config.database "USER"      .Values.postgresql.global.postgresql.postgresqlUsername -}}
-    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.postgresql.global.postgresql.postgresqlPassword -}}
-    {{ else if .Values.gitea.database.builtIn.mysql.enabled -}}
-    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "mysql" -}}
-    {{- if not (.Values.gitea.config.database.HOST) -}}
-    {{- $_ := set .Values.gitea.config.database "HOST"      (include "mysql.dns" .) -}}
-    {{- end -}}
-    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.mysql.db.name -}}
-    {{- $_ := set .Values.gitea.config.database "USER"      .Values.mysql.db.user -}}
-    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.mysql.db.password -}}
-    {{ else if .Values.gitea.database.builtIn.mariadb.enabled -}}
-    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "mysql" -}}
-    {{- if not (.Values.gitea.config.database.HOST) -}}
-    {{- $_ := set .Values.gitea.config.database "HOST"      (include "mariadb.dns" .) -}}
-    {{- end -}}
-    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.mariadb.auth.database -}}
-    {{- $_ := set .Values.gitea.config.database "USER"      .Values.mariadb.auth.username -}}
-    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.mariadb.auth.password -}}
-    {{- end -}}
 
-    {{- /* cache default settings */ -}}
+      if [[ $section == '_generals_' ]]; then
-    {{- if .Values.gitea.cache.builtIn.enabled -}}
+        env2ini::log "  [ini root]"
-    {{- $_ := set .Values.gitea.config.cache "ENABLED" "true" -}}
+        section=''
-    {{- $_ := set .Values.gitea.config.cache "ADAPTER" "memcache" -}}
+      else
-    {{- if not (.Values.gitea.config.cache.HOST) -}}
+        env2ini::log "  ${section}"
-    {{- $_ := set .Values.gitea.config.cache "HOST" (include "memcached.dns" .) -}}
+      fi
-    {{- end -}}
-    {{- end -}}
 
-    {{- /* autogenerate app.ini */ -}}
+      while read -r line; do
-    {{- range $key, $value := .Values.gitea.config  }}
+        env2ini::read_config_to_env "${section}" "${line}"
-    {{- if kindIs "map" $value }}
+      done < <(awk 1 "${config_file}")                             # Helm .toYaml trims the trailing new line which breaks line processing; awk 1 ... adds it back while reading
-    {{- if gt (len $value) 0 }}
+    }
 
-    [{{ $key }}]
+    function env2ini::load_config_sources() {
-    {{- range $n_key, $n_value := $value }}
+      local path="${1}"
-    {{ $n_key | upper }} = {{ $n_value }}
+
-    {{- end }}
+      env2ini::log "Processing $(basename "${path}")..."
-    {{- end }}
+
-    {{- else }}
+      while read -d '' configFile; do
-    {{ $key | upper }} = {{ $value }}
+        env2ini::process_config_file "${configFile}"
-    {{- end }}
+      done < <(find "${path}" -type l -not -name '..data' -print0)
-    {{- end }}
+
+      env2ini::log "\n"
+    }
+
+    function env2ini::generate_initial_secrets() {
+      # These environment variables will either be
+      #   - overwritten with user defined values,
+      #   - initially used to set up Gitea
+      # Anyway, they won't harm existing app.ini files
+
+      export ENV_TO_INI__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
+      export ENV_TO_INI__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
+      export ENV_TO_INI__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
+
+      env2ini::log "...Initial secrets generated\n"
+    }
+
+    # MUST BE CALLED BEFORE OTHER CONFIGURATION
+    env2ini::generate_initial_secrets
+
+    env2ini::load_config_sources '/env-to-ini-mounts/inlines/'
+    env2ini::load_config_sources '/env-to-ini-mounts/additionals/'
+
+    env2ini::log "=== All configuration sources loaded ===\n"
+
+    # safety to prevent rewrite of secret keys if an app.ini already exists
+    if [ -f ${GITEA_APP_INI} ]; then
+      env2ini::log 'An app.ini file already exists. To prevent overwriting secret keys, these settings are dropped and remain unchanged:'
+      env2ini::log '  - security.INTERNAL_TOKEN'
+      env2ini::log '  - security.SECRET_KEY'
+      env2ini::log '  - oauth2.JWT_SECRET'
+
+      unset ENV_TO_INI__SECURITY__INTERNAL_TOKEN
+      unset ENV_TO_INI__SECURITY__SECRET_KEY
+      unset ENV_TO_INI__OAUTH2__JWT_SECRET
+    fi
+
+    environment-to-ini -o $GITEA_APP_INI -p ENV_TO_INI
+    

templates/gitea/deprecation.yaml

@@ -0,0 +1,34 @@
+{{- if .Values.checkDeprecation -}}
+  {{/* CUSTOM PROBES */}}
+  {{- if .Values.gitea.customLivenessProbe -}}
+    {{- fail "`gitea.customLivenessProbe` does no longer exist. Please refer to the changelog and configure `gitea.livenessProbe` instead." -}}
+  {{- end -}}
+  {{- if .Values.gitea.customReadinessProbe -}}
+    {{- fail "`gitea.customReadinessProbe` does no longer exist. Please refer to the changelog and configure `gitea.readinessProbe` instead." -}}
+  {{- end -}}
+  {{- if .Values.gitea.customStartupProbe -}}
+    {{- fail "`gitea.customStartupProbe` does no longer exist. Please refer to the changelog and configure `gitea.startupProbe` instead." -}}
+  {{- end -}}
+
+  {{/* LDAP SOURCES */}}
+  {{- if kindIs "map" .Values.gitea.ldap -}}
+    {{- fail "You can configure multiple LDAP sources. Please refer to the changelog and switch `gitea.ldap` from object to array notation." -}}
+  {{- end -}}
+  
+  {{/* OAUTH SOURCES */}}
+  {{- if kindIs "map" .Values.gitea.oauth -}}
+    {{- fail "You can configure multiple OAuth sources. Please refer to the changelog and switch `gitea.oauth` from object to array notation." -}}
+  {{- end -}}
+  
+  {{/* BUILTIN */}}
+  {{- if .Values.gitea.cache -}}
+    {{- if .Values.gitea.cache.builtIn -}}
+      {{- fail "`gitea.cache.builtIn` does no longer exist. Please use `memcached` at root level instead." -}}
+    {{- end -}}
+  {{- end -}}
+  {{- if .Values.gitea.database -}}
+    {{- if .Values.gitea.database.builtIn -}}
+      {{- fail "`gitea.database.builtIn` does no longer exist. Builtin databases can be configured inside the dependencies itself. Please refer to the changelog." -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}

templates/gitea/ingress.yaml

@@ -1,13 +1,15 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "gitea.fullname" . -}}
 {{- $httpPort := .Values.service.http.port -}}
-{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}}
+{{- $apiVersion := "extensions/v1beta1" -}}
-apiVersion: networking.k8s.io/v1
+{{- if .Values.ingress.apiVersion -}}
+{{- $apiVersion = .Values.ingress.apiVersion -}}
+{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}}
+{{- $apiVersion = "networking.k8s.io/v1" }}
 {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" -}}
-apiVersion: networking.k8s.io/v1beta1
+{{- $apiVersion = "networking.k8s.io/v1beta1" }}
-{{- else -}}
-apiVersion: extensions/v1beta1
 {{- end }}
+apiVersion: {{ $apiVersion }}
 kind: Ingress
 metadata:
   name: {{ $fullName }}
@@ -18,6 +20,9 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
+{{- if .Values.ingress.className }}
+  ingressClassName: {{ .Values.ingress.className }}
+{{- end }}
 {{- if .Values.ingress.tls }}
   tls:
   {{- range .Values.ingress.tls }}
@@ -29,16 +34,17 @@ spec:
   {{- end }}
 {{- end }}
   rules:
-  {{- range .Values.ingress.hosts }}
+    {{- range .Values.ingress.hosts }}
-    - host: {{ . | quote }}
+    - host: {{ .host | quote }}
       http:
         paths:
-          - path: /
+          {{- range .paths }}
-            {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+          - path: {{ .path }}
-            pathType: Prefix
+            {{- if and .pathType (eq $apiVersion "networking.k8s.io/v1") }}
+            pathType: {{ .pathType }}
             {{- end }}
             backend:
-            {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+            {{- if eq $apiVersion "networking.k8s.io/v1" }}
               service:
                 name: {{ $fullName }}-http
                 port:
@@ -47,5 +53,6 @@ spec:
               serviceName: {{ $fullName }}-http
               servicePort: {{ $httpPort }}
             {{- end }}
-  {{- end }}
+          {{- end }}
+    {{- end }}
 {{- end }}

templates/gitea/init.yaml

@@ -6,8 +6,11 @@ metadata:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 stringData:
-  init_gitea.sh: |-
+  init_directory_structure.sh: |-
-    #!/bin/bash
+    #!/usr/bin/env bash
+
+    set -euo pipefail
+
     {{- if .Values.initPreScript }}
     # BEGIN: initPreScript
     {{- with .Values.initPreScript -}}
@@ -16,52 +19,133 @@ stringData:
     # END: initPreScript
     {{- end }}
 
+    set -x
+
+    {{- if not .Values.image.rootless }}
     chown 1000:1000 /data
+    {{- end }}
     mkdir -p /data/git/.ssh
     chmod -R 700 /data/git/.ssh
-    mkdir -p /data/gitea/conf
+    [ ! -d /data/gitea ] && mkdir -p /data/gitea/conf
+
+    # prepare temp directory structure
+    mkdir -p "${GITEA_TEMP}"
+    chown 1000:1000 "${GITEA_TEMP}"
+    chmod ug+rwx "${GITEA_TEMP}"
+
+  configure_gitea.sh: |-
+    #!/usr/bin/env bash
+
+    set -euo pipefail
 
-    # Copy config file to writable volume
-    cp /etc/gitea/conf/app.ini /data/gitea/conf/app.ini
-    chmod a+rwx /data/gitea/conf/app.ini
     {{- if include "db.servicename" . }}
-    # Wait for database to become avialble
+    # Connection retry inspired by https://gist.github.com/dublx/e99ea94858c07d2ca6de
-    nc -v -w2 -z {{ include "db.servicename" . }} {{ include "db.port" . }} && \
+    function test_db_connection() {
+      local RETRY=0
+      local MAX=30
+
+      echo 'Wait for database to become avialable...'
+      until [ "${RETRY}" -ge "${MAX}" ]; do
+        nc -vz -w2 {{ include "db.servicename" . }} {{ include "db.port" . }} && break
+        RETRY=$[${RETRY}+1]
+        echo "...not ready yet (${RETRY}/${MAX})"
+      done
+
+      if [ "${RETRY}" -ge "${MAX}" ]; then
+        echo "Database not reachable after '${MAX}' attempts!"
+        exit 1
+      fi
+    }
+
+    test_db_connection
     {{- end }}
-    {{- if not .Values.image.rootless }}
+
-    su git -c ' \
+    {{- if include "redis.servicename" . }}
+    function test_redis_connection() {
+      local RETRY=0
+      local MAX=30
+      
+      echo 'Wait for redis to become avialable...'
+      until [ "${RETRY}" -ge "${MAX}" ]; do
+        nc -vz -w2 {{ include "redis.servicename" . }} {{ include "redis.port" . }} && break
+        RETRY=$[${RETRY}+1]
+        echo "...not ready yet (${RETRY}/${MAX})"
+      done
+
+      if [ "${RETRY}" -ge "${MAX}" ]; then
+        echo "Redis not reachable after '${MAX}' attempts!"
+        exit 1
+      fi
+    }
+
+    test_redis_connection
     {{- end }}
-    set -x; \
+
-    gitea migrate; \
+    echo '==== BEGIN GITEA CONFIGURATION ===='
-    {{- if and .Values.gitea.admin.username .Values.gitea.admin.password }}
+
-    gitea admin create-user --username  {{ .Values.gitea.admin.username }} --password {{ .Values.gitea.admin.password | quote }} --email {{ .Values.gitea.admin.email }} --admin --must-change-password=false \
+    gitea migrate
-    || \
+
-    gitea admin change-password --username {{ .Values.gitea.admin.username }} --password {{ .Values.gitea.admin.password | quote }} \
+    {{- if or .Values.gitea.admin.existingSecret (and .Values.gitea.admin.username .Values.gitea.admin.password) }}
-    || \
+    function configure_admin_user() {
-    gitea admin user create --username  {{ .Values.gitea.admin.username }} --password {{ .Values.gitea.admin.password | quote }} --email {{ .Values.gitea.admin.email }} --admin --must-change-password=false \
+      local ACCOUNT_ID=$(gitea admin user list --admin | grep -e "\s\+${GITEA_ADMIN_USERNAME}\s\+" | awk -F " " "{printf \$1}")
-    || \
+      if [[ -z "${ACCOUNT_ID}" ]]; then
-    gitea admin user change-password --username {{ .Values.gitea.admin.username }} --password {{ .Values.gitea.admin.password | quote }}; \
+        echo "No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now..."
-    {{- end }}
+        gitea admin user create --admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }} --must-change-password=false
-    {{- if .Values.gitea.ldap.enabled }}
+        echo '...created.'
-    gitea admin auth add-ldap \
+      else
-    {{- include "gitea.ldap_settings" . | nindent 6 }} \
+        echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
-    || \
+        gitea admin user change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}"
-    ( \
+        echo '...password sync done.'
-      export GITEA_AUTH_ID=$(gitea admin auth list | grep {{ .Values.gitea.ldap.name | quote }} | awk -F " "  "{print \$1}"); \
+      fi
-      gitea admin auth update-ldap --id ${GITEA_AUTH_ID} \
+    }
-      {{- include "gitea.ldap_settings" . | nindent 6 }} \
+
-    ) \
+    configure_admin_user
-    {{- end }}
-    {{- if .Values.gitea.oauth.enabled }}
-    gitea admin auth add-oauth \
-    {{- include "gitea.oauth_settings" . | nindent 6 }} \
-    || \
-    ( \
-      export GITEA_AUTH_ID=$(gitea admin auth list | grep {{ .Values.gitea.oauth.name | quote }} | awk -F " "  "{print \$1}"); \
-      gitea admin auth update-oauth --id ${GITEA_AUTH_ID} \
-      {{- include "gitea.oauth_settings" . | nindent 6 }} \
-    ) \
-    {{- end }}
-    {{- if not .Values.image.rootless }}
-    '
     {{- end }}
+
+    function configure_ldap() {
+      {{- if .Values.gitea.ldap }}
+      {{- range $idx, $value := .Values.gitea.ldap }}
+      local LDAP_NAME={{ (printf "%s" $value.name) | squote }}
+      local GITEA_AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${LDAP_NAME}\s+\|" | grep -iE '\|LDAP \(via BindDN\)\s+\|' | awk -F " "  "{print \$1}")
+
+      if [[ -z "${GITEA_AUTH_ID}" ]]; then
+        echo "No ldap configuration found with name '${LDAP_NAME}'. Installing it now..."
+        gitea admin auth add-ldap {{- include "gitea.ldap_settings" (list $idx $value) | indent 1 }}
+        echo '...installed.'
+      else
+        echo "Existing ldap configuration with name '${LDAP_NAME}': '${GITEA_AUTH_ID}'. Running update to sync settings..."
+        gitea admin auth update-ldap --id "${GITEA_AUTH_ID}" {{- include "gitea.ldap_settings" (list $idx $value) | indent 1 }}
+        echo '...sync settings done.'
+      fi
+      {{- end }}
+      {{- else }}
+        echo 'no ldap configuration... skipping.'
+      {{- end }}
+    }
+
+    configure_ldap
+
+    function configure_oauth() {
+      {{- if .Values.gitea.oauth }}
+      {{- range $idx, $value := .Values.gitea.oauth }}
+      local OAUTH_NAME={{ (printf "%s" $value.name) | squote }}
+      local AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " "  "{print \$1}")
+
+      if [[ -z "${AUTH_ID}" ]]; then
+        echo "No oauth configuration found with name '${OAUTH_NAME}'. Installing it now..."
+        gitea admin auth add-oauth {{- include "gitea.oauth_settings" (list $idx $value) | indent 1 }}
+        echo '...installed.'
+      else
+        echo "Existing oauth configuration with name '${OAUTH_NAME}': '${AUTH_ID}'. Running update to sync settings..."
+        gitea admin auth update-oauth --id "${AUTH_ID}" {{- include "gitea.oauth_settings" (list $idx $value) | indent 1 }}
+        echo '...sync settings done.'
+      fi
+      {{- end }}
+      {{- else }}
+        echo 'no oauth configuration... skipping.'
+      {{- end }}
+    }
+
+    configure_oauth
+
+    echo '==== END GITEA CONFIGURATION ===='

templates/gitea/statefulset.yaml

@@ -17,8 +17,12 @@ spec:
     metadata:
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/gitea/config.yaml") . | sha256sum }}
-        checksum/ldap: {{ include "gitea.ldap_settings" . | sha256sum }}
+        {{- range $idx, $value := .Values.gitea.ldap }}
-        checksum/oauth: {{ include "gitea.oauth_settings" . | sha256sum }}
+        checksum/ldap_{{ $idx }}: {{ include "gitea.ldap_settings" (list $idx $value) | sha256sum }}
+        {{- end }}
+        {{- range $idx, $value := .Values.gitea.oauth }}
+        checksum/oauth_{{ $idx }}: {{ include "gitea.oauth_settings" (list $idx $value) | sha256sum }}
+        {{- end }}
         {{- with .Values.gitea.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -36,11 +40,11 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       securityContext:
-        fsGroup: 1000
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
       initContainers:
-        - name: init
+        - name: init-directories
           image: "{{ include "gitea.image" . }}"
-          command: ["/usr/sbin/init_gitea.sh"]
+          command: ["/usr/sbin/init_directory_structure.sh"]
           env:
             - name: GITEA_APP_INI
               value: /data/gitea/conf/app.ini
@@ -48,16 +52,148 @@ spec:
               value: /data/gitea
             - name: GITEA_WORK_DIR
               value: /data
+            - name: GITEA_TEMP
+              value: /tmp/gitea
             {{- if .Values.statefulset.env }}
             {{- toYaml .Values.statefulset.env | nindent 12 }}
             {{- end }}
           volumeMounts:
             - name: init
               mountPath: /usr/sbin
-            - name: config
+            - name: temp
-              mountPath: /etc/gitea/conf
+              mountPath: /tmp
             - name: data
               mountPath: /data
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
+            {{- if .Values.extraVolumeMounts }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- end }}
+          securityContext:
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+        - name: init-app-ini
+          image: "{{ include "gitea.image" . }}"
+          command: ["/usr/sbin/config_environment.sh"]
+          env:
+            - name: GITEA_APP_INI
+              value: /data/gitea/conf/app.ini
+            - name: GITEA_CUSTOM
+              value: /data/gitea
+            - name: GITEA_WORK_DIR
+              value: /data
+            - name: GITEA_TEMP
+              value: /tmp/gitea
+            {{- if .Values.statefulset.env }}
+            {{- toYaml .Values.statefulset.env | nindent 12 }}
+            {{- end }}
+          volumeMounts:
+            - name: config
+              mountPath: /usr/sbin
+            - name: temp
+              mountPath: /tmp
+            - name: data
+              mountPath: /data
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
+            - name: inline-config-sources
+              mountPath: /env-to-ini-mounts/inlines/
+            {{- range $idx, $value := .Values.gitea.additionalConfigSources }}
+            - name: additional-config-sources-{{ $idx }}
+              mountPath: "/env-to-ini-mounts/additionals/{{ $idx }}/"
+            {{- end }}
+            {{- if .Values.extraVolumeMounts }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- end }}
+          securityContext:
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+        - name: configure-gitea
+          image: "{{ include "gitea.image" . }}"
+          command: ["/usr/sbin/configure_gitea.sh"]
+          securityContext:
+            {{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
+            {{- $csc := deepCopy .Values.containerSecurityContext -}}
+            {{- if not (hasKey $csc "runAsUser") -}}
+            {{- $_ := set $csc "runAsUser" 1000 -}}
+            {{- end -}}
+            {{- toYaml $csc | nindent 12 }}
+          env:
+            - name: GITEA_APP_INI
+              value: /data/gitea/conf/app.ini
+            - name: GITEA_CUSTOM
+              value: /data/gitea
+            - name: GITEA_WORK_DIR
+              value: /data
+            - name: GITEA_TEMP
+              value: /tmp/gitea
+            {{- if .Values.gitea.ldap }}
+            {{- range $idx, $value := .Values.gitea.ldap }}
+            {{- if $value.existingSecret }}
+            - name: GITEA_LDAP_BIND_DN_{{ $idx }}
+              valueFrom:
+                secretKeyRef:
+                  key:  bindDn
+                  name: {{ $value.existingSecret }}
+            - name: GITEA_LDAP_PASSWORD_{{ $idx }}
+              valueFrom:
+                secretKeyRef:
+                  key:  bindPassword
+                  name: {{ $value.existingSecret }}
+            {{- else }}
+            - name: GITEA_LDAP_BIND_DN_{{ $idx }}
+              value: {{ $value.bindDn | quote }}
+            - name: GITEA_LDAP_PASSWORD_{{ $idx }}
+              value: {{ $value.bindPassword | quote }}
+            {{- end }}
+            {{- end }}
+            {{- end }}
+            {{- if .Values.gitea.oauth }}
+            {{- range $idx, $value := .Values.gitea.oauth }}
+            {{- if $value.existingSecret }}
+            - name: GITEA_OAUTH_KEY_{{ $idx }}
+              valueFrom:
+                secretKeyRef:
+                  key:  key
+                  name: {{ $value.existingSecret }}
+            - name: GITEA_OAUTH_SECRET_{{ $idx }}
+              valueFrom:
+                secretKeyRef:
+                  key:  secret
+                  name: {{ $value.existingSecret }}
+            {{- end }}
+            {{- end }}
+            {{- end }}
+            {{- if .Values.gitea.admin.existingSecret }}
+            - name: GITEA_ADMIN_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  key:  username
+                  name: {{ .Values.gitea.admin.existingSecret }}
+            - name: GITEA_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key:  password
+                  name: {{ .Values.gitea.admin.existingSecret }}
+            {{- else }}
+            - name: GITEA_ADMIN_USERNAME
+              value: {{ .Values.gitea.admin.username | quote }}
+            - name: GITEA_ADMIN_PASSWORD
+              value: {{ .Values.gitea.admin.password | quote }}
+            {{- end }}
+            {{- if .Values.statefulset.env }}
+            {{- toYaml .Values.statefulset.env | nindent 12 }}
+            {{- end }}
+          volumeMounts:
+            - name: init
+              mountPath: /usr/sbin
+            - name: temp
+              mountPath: /tmp
+            - name: data
+              mountPath: /data
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
             {{- if .Values.extraVolumeMounts }}
             {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
             {{- end }}
@@ -82,6 +218,10 @@ spec:
               value: /tmp/gitea
             - name: TMPDIR
               value: /tmp/gitea
+            {{- if .Values.signing.enabled }}
+            - name: GNUPGHOME
+              value: {{ .Values.signing.gpgHome }}
+            {{- end }}
             {{- if .Values.statefulset.env }}
             {{- toYaml .Values.statefulset.env | nindent 12 }}
             {{- end }}
@@ -94,54 +234,35 @@ spec:
             - name: profiler
               containerPort: 6060
             {{- end }}
-          {{- if .Values.gitea.livenessProbe.enabled }}
+          {{- if .Values.gitea.livenessProbe }}
           livenessProbe:
-            tcpSocket:
+            {{- toYaml .Values.gitea.livenessProbe | nindent 12 }}
-              port: http
-            initialDelaySeconds: {{ .Values.gitea.livenessProbe.initialDelaySeconds }}
-            periodSeconds: {{ .Values.gitea.livenessProbe.periodSeconds }}
-            timeoutSeconds: {{ .Values.gitea.livenessProbe.timeoutSeconds }}
-            successThreshold: {{ .Values.gitea.livenessProbe.successThreshold }}
-            failureThreshold: {{ .Values.gitea.livenessProbe.failureThreshold }}
-          {{- else if .Values.gitea.customLivenessProbe }}
-          livenessProbe:
-            {{- toYaml .Values.gitea.customLivenessProbe | nindent 12 }}
           {{- end }}
-          {{- if .Values.gitea.readinessProbe.enabled }}
+          {{- if .Values.gitea.readinessProbe }}
           readinessProbe:
-            tcpSocket:
+            {{- toYaml .Values.gitea.readinessProbe | nindent 12 }}
-              port: http
-            initialDelaySeconds: {{ .Values.gitea.readinessProbe.initialDelaySeconds }}
-            periodSeconds: {{ .Values.gitea.readinessProbe.periodSeconds }}
-            timeoutSeconds: {{ .Values.gitea.readinessProbe.timeoutSeconds }}
-            successThreshold: {{ .Values.gitea.readinessProbe.successThreshold }}
-            failureThreshold: {{ .Values.gitea.readinessProbe.failureThreshold }}
-          {{- else if .Values.gitea.customReadinessProbe }}
-          readinessProbe:
-            {{- toYaml .Values.gitea.customReadinessProbe | nindent 12 }}
           {{- end }}
-          {{- if .Values.gitea.startupProbe.enabled }}
+          {{- if .Values.gitea.startupProbe }}
           startupProbe:
-            tcpSocket:
+            {{- toYaml .Values.gitea.startupProbe | nindent 12 }}
-              port: http
-            initialDelaySeconds: {{ .Values.gitea.startupProbe.initialDelaySeconds }}
-            periodSeconds: {{ .Values.gitea.startupProbe.periodSeconds }}
-            timeoutSeconds: {{ .Values.gitea.startupProbe.timeoutSeconds }}
-            successThreshold: {{ .Values.gitea.startupProbe.successThreshold }}
-            failureThreshold: {{ .Values.gitea.startupProbe.failureThreshold }}
-          {{- else if .Values.gitea.customStartupProbe }}
-          startupProbe:
-            {{- toYaml .Values.gitea.customStartupProbe | nindent 12 }}
           {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            {{- /* Honor the deprecated securityContext variable when defined */ -}}
+            {{- if .Values.containerSecurityContext -}}
+            {{ toYaml .Values.containerSecurityContext | nindent 12 -}}
+            {{- else -}}
+            {{ toYaml .Values.securityContext | nindent 12 -}}
+            {{- end }}
           volumeMounts:
             - name: temp
               mountPath: /tmp
             - name: data
               mountPath: /data
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
             {{- if .Values.extraVolumeMounts }}
             {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
             {{- end }}
@@ -161,19 +282,29 @@ spec:
         - name: init
           secret:
             secretName: {{ include "gitea.fullname" . }}-init
-            defaultMode: 0777
+            defaultMode: 110
         - name: config
           secret:
             secretName: {{ include "gitea.fullname" . }}
+            defaultMode: 110
         {{- if .Values.extraVolumes }}
         {{- toYaml .Values.extraVolumes | nindent 8 }}
         {{- end }}
+        - name: inline-config-sources
+          secret:
+            secretName: {{ include "gitea.fullname" . }}-inline-config
+        {{- range $idx, $value := .Values.gitea.additionalConfigSources }}
+        - name: additional-config-sources-{{ $idx }}
+          {{- toYaml $value | nindent 10 }}
+        {{- end }}
         - name: temp
           emptyDir: {}
   {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
         - name: data
           persistentVolumeClaim:
-            claimName: {{ .Values.persistence.existingClaim }}
+  {{- with .Values.persistence.existingClaim }}
+            claimName: {{ tpl . $ }}
+  {{- end }}
   {{- else if not .Values.persistence.enabled }}
         - name: data
           emptyDir: {}