1.16.7

To enable access to e.g. the SSH port by IPv6, the selection of ipFamilyPolicy and ipFamilies service attributes is necessary. Enable the possibility to configure these by helm values.

Co-authored-by: Sven Fischer <sven@leiderfischer.de>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/313
Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.io>
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Co-authored-by: svenihoney <svenihoney@noreply.gitea.io>
Co-committed-by: svenihoney <svenihoney@noreply.gitea.io>

.drone.yml

@@ -1,5 +1,6 @@
 ---
 kind: pipeline
+type: docker
 name: lint
 
 platform:
@@ -7,12 +8,26 @@ platform:
   arch: arm64
 
 steps:
-- name: lint
+- name: helm lint
   pull: always
-  image: alpine:3.13
+  image: alpine:3.15
   commands:
-    - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
+  - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
-    - helm lint
+  - helm lint
+
+- name: helm template
+  pull: always
+  image: alpine:3.15
+  commands:
+  - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
+  - helm dependency update
+  - helm template --debug gitea-helm .
+
+- name: markdown lint
+  pull: always
+  image: docker.io/volkerraschek/markdownlint:latest
+  commands:
+  - markdownlint *.md
 
 - name: discord
   pull: always
@@ -29,6 +44,7 @@ steps:
 
 ---
 kind: pipeline
+type: docker
 name: release-version
 
 platform:
@@ -37,33 +53,32 @@ platform:
 
 trigger:
   event:
-    - tag
+  - tag
 
 steps:
-  - name: generate-chart
+- name: generate-chart
-    pull: always
+  pull: always
-    image: alpine:3.13
+  image: alpine:3.15
-    commands:
+  commands:
-      - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
+    - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
-      - apk add --no-cache curl
+    - apk add --no-cache curl
-      - helm dependency update
+    - helm dependency update
-      - helm package --version "${DRONE_TAG##v}" ./
+    - helm package --version "${DRONE_TAG##v}" ./
-      - mkdir gitea
+    - mkdir gitea
-      - mv gitea*.tgz gitea/
+    - mv gitea*.tgz gitea/
-      - curl -L -o gitea/index.yaml https://dl.gitea.io/charts/index.yaml
+    - curl -L -o gitea/index.yaml https://dl.gitea.io/charts/index.yaml
-      - helm repo index gitea/ --url https://dl.gitea.io/charts --merge gitea/index.yaml
+    - helm repo index gitea/ --url https://dl.gitea.io/charts --merge gitea/index.yaml
 
-  - name: upload-chart
+- name: upload-chart
-    pull: always
+  pull: always
-    image: plugins/s3:latest
+  image: plugins/s3:latest
-    settings:
+  settings:
-      bucket: gitea-artifacts
+    bucket: gitea-artifacts
-      endpoint: https://storage.gitea.io
+    endpoint: https://ams3.digitaloceanspaces.com
-      path_style: true
+    access_key:
-      access_key:
+      from_secret: aws_access_key_id
-        from_secret: aws_access_key_id
+    secret_key:
-      secret_key:
+      from_secret: aws_secret_access_key
-        from_secret: aws_secret_access_key
+    source: gitea/*
-      source: gitea/*
+    target: /charts
-      target: /charts
+    strip_prefix: gitea/
-      strip_prefix: gitea/

.markdownlint.yaml

@@ -0,0 +1,151 @@
+# markdownlint YAML configuration
+# https://github.com/DavidAnson/markdownlint/blob/main/schema/.markdownlint.yaml
+
+# Default state for all rules
+default: true
+
+# Path to configuration file to extend
+extends: null
+
+# MD003/heading-style/header-style - Heading style
+MD003:
+  # Heading style
+  style: "atx"
+
+# MD004/ul-style - Unordered list style
+MD004:
+  style: "dash"
+
+# MD007/ul-indent - Unordered list indentation
+MD007:
+  # Spaces for indent
+  indent: 2
+  # Whether to indent the first level of the list
+  start_indented: false
+
+# MD009/no-trailing-spaces - Trailing spaces
+MD009:
+  # Spaces for line break
+  br_spaces: 2
+  # Allow spaces for empty lines in list items
+  list_item_empty_lines: false
+  # Include unnecessary breaks
+  strict: false
+
+# MD010/no-hard-tabs - Hard tabs
+MD010:
+  # Include code blocks
+  code_blocks: true
+
+# MD012/no-multiple-blanks - Multiple consecutive blank lines
+MD012:
+  # Consecutive blank lines
+  maximum: 1
+
+# MD013/line-length - Line length
+MD013:
+  # Number of characters
+  line_length: 80
+  # Number of characters for headings
+  heading_line_length: 80
+  # Number of characters for code blocks
+  code_block_line_length: 80
+  # Include code blocks
+  code_blocks: false
+  # Include tables
+  tables: false
+  # Include headings
+  headings: true
+  # Include headings
+  headers: true
+  # Strict length checking
+  strict: false
+  # Stern length checking
+  stern: false
+
+# MD022/blanks-around-headings/blanks-around-headers - Headings should be surrounded by blank lines
+MD022:
+  # Blank lines above heading
+  lines_above: 1
+  # Blank lines below heading
+  lines_below: 1
+
+# MD024/no-duplicate-heading/no-duplicate-header - Multiple headings with the same content
+MD024:
+  # Only check sibling headings
+  allow_different_nesting: true
+
+# MD025/single-title/single-h1 - Multiple top-level headings in the same document
+MD025:
+  # Heading level
+  level: 1
+  # RegExp for matching title in front matter
+  front_matter_title: "^\\s*title\\s*[:=]"
+
+# MD026/no-trailing-punctuation - Trailing punctuation in heading
+MD026:
+  # Punctuation characters
+  punctuation: ".,;:!。，；：！"
+
+# MD029/ol-prefix - Ordered list item prefix
+MD029:
+  # List style
+  style: "one_or_ordered"
+
+# MD030/list-marker-space - Spaces after list markers
+MD030:
+  # Spaces for single-line unordered list items
+  ul_single: 1
+  # Spaces for single-line ordered list items
+  ol_single: 1
+  # Spaces for multi-line unordered list items
+  ul_multi: 1
+  # Spaces for multi-line ordered list items
+  ol_multi: 1
+
+# MD033/no-inline-html - Inline HTML
+MD033:
+  # Allowed elements
+  allowed_elements: []
+
+# MD035/hr-style - Horizontal rule style
+MD035:
+  # Horizontal rule style
+  style: "---"
+
+# MD036/no-emphasis-as-heading/no-emphasis-as-header - Emphasis used instead of a heading
+MD036:
+  # Punctuation characters
+  punctuation: ".,;:!?。，；：！？"
+
+# MD041/first-line-heading/first-line-h1 - First line in a file should be a top-level heading
+MD041:
+  # Heading level
+  level: 1
+  # RegExp for matching title in front matter
+  front_matter_title: "^\\s*title\\s*[:=]"
+
+# MD044/proper-names - Proper names should have the correct capitalization
+MD044:
+  # List of proper names
+  names:
+  - Gitea
+  - PostgreSQL
+  - MariaDB
+  - MySQL
+  - Memcached
+  - Prometheus
+  - Git
+  - GitOps
+  # Include code blocks
+  code_blocks: false
+
+# MD046/code-block-style - Code block style
+MD046:
+  # Block style
+  style: "fenced"
+
+# MD048/code-fence-style - Code fence style
+MD048:
+  # Code fence syle
+  style: "backtick"

Chart.yaml

@@ -3,7 +3,7 @@ name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
-appVersion: 1.14.3
+appVersion: 1.16.7
 icon: https://docs.gitea.io/images/gitea.png
 
 keywords:
@@ -33,16 +33,16 @@ dependencies:
 - name: memcached
   repository: https://charts.bitnami.com/bitnami
   version: 5.9.0
-  condition: gitea.cache.builtIn.enabled
+  condition: memcached.enabled
 - name: mysql
   repository: https://charts.bitnami.com/bitnami
   version: 6.14.10
-  condition: gitea.database.builtIn.mysql.enabled
+  condition: mysql.enabled
 - name: postgresql
   repository: https://charts.bitnami.com/bitnami
   version: 10.3.17
-  condition: gitea.database.builtIn.postgresql.enabled
+  condition: postgresql.enabled
 - name: mariadb
   repository: https://charts.bitnami.com/bitnami
   version: 9.3.6
-  condition: gitea.database.builtIn.mariadb.enabled
+  condition: mariadb.enabled

templates/_helpers.tpl

@@ -36,7 +36,7 @@ Create image name and tag used by the deployment.
 */}}
 {{- define "gitea.image" -}}
 {{- $name := .Values.image.repository -}}
-{{- $tag := ternary .Values.image.version .Values.image.tag (hasKey .Values.image "version") -}}
+{{- $tag := .Values.image.tag | default .Chart.AppVersion -}}
 {{- $rootless := ternary "-rootless" "" (.Values.image.rootless) -}}
 {{- printf "%s:%s%s" $name $tag $rootless -}}
 {{- end -}}
@@ -48,10 +48,8 @@ Common labels
 helm.sh/chart: {{ include "gitea.chart" . }}
 app: {{ include "gitea.name" . }}
 {{ include "gitea.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
-version: {{ .Chart.AppVersion | quote }}
-{{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}
 
@@ -63,30 +61,6 @@ app.kubernetes.io/name: {{ include "gitea.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
-{{- define "db.servicename" -}}
-{{- if .Values.gitea.database.builtIn.postgresql.enabled -}}
-{{- printf "%s-postgresql" .Release.Name -}}
-{{- else if .Values.gitea.database.builtIn.mysql.enabled -}}
-{{- printf "%s-mysql" .Release.Name -}}
-{{- else if .Values.gitea.database.builtIn.mariadb.enabled -}}
-{{- printf "%s-mariadb" .Release.Name -}}
-{{- else if ne .Values.gitea.config.database.DB_TYPE "sqlite3" -}}
-{{- $parts := split ":" .Values.gitea.config.database.HOST -}}
-{{- printf "%s %s" $parts._0 $parts._1 -}}
-{{- end -}}
-{{- end -}}
-
-{{- define "db.port" -}}
-{{- if .Values.gitea.database.builtIn.postgresql.enabled -}}
-{{ .Values.postgresql.global.postgresql.servicePort }}
-{{- else if .Values.gitea.database.builtIn.mysql.enabled -}}
-{{ .Values.mysql.service.port }}
-{{- else if .Values.gitea.database.builtIn.mariadb.enabled -}}
-{{ .Values.mariadb.primary.service.port }}
-{{- else -}}
-{{- end -}}
-{{- end -}}
-
 {{- define "postgresql.dns" -}}
 {{- printf "%s-postgresql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.postgresql.global.postgresql.servicePort -}}
 {{- end -}}
@@ -108,21 +82,24 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
 {{- define "gitea.ldap_settings" -}}
-{{- if not (hasKey .Values.gitea.ldap "bindDn") -}}
+{{- $idx := index . 0 }}
-{{- $_ := set .Values.gitea.ldap "bindDn" "" -}}
+{{- $values := index . 1 }}
+
+{{- if not (hasKey $values "bindDn") -}}
+{{- $_ := set $values "bindDn" "" -}}
 {{- end -}}
 
-{{- if not (hasKey .Values.gitea.ldap "bindPassword") -}}
+{{- if not (hasKey $values "bindPassword") -}}
-{{- $_ := set .Values.gitea.ldap "bindPassword" "" -}}
+{{- $_ := set $values "bindPassword" "" -}}
 {{- end -}}
 
 {{- $flags := list "notActive" "skipTlsVerify" "allowDeactivateAll" "synchronizeUsers" "attributesInBind" -}}
-{{- range $key, $val := .Values.gitea.ldap -}}
+{{- range $key, $val := $values -}}
 {{- if and (ne $key "enabled") (ne $key "existingSecret") -}}
 {{- if eq $key "bindDn" -}}
-{{- printf "--%s %s " ($key | kebabcase) ("${GITEA_LDAP_BIND_DN}" | quote ) -}}
+{{- printf "--%s \"${GITEA_LDAP_BIND_DN_%d}\" " ($key | kebabcase) ($idx) -}}
 {{- else if eq $key "bindPassword" -}}
-{{- printf "--%s %s " ($key | kebabcase) ("${GITEA_LDAP_PASSWORD}" | quote ) -}}
+{{- printf "--%s \"${GITEA_LDAP_PASSWORD_%d}\" " ($key | kebabcase) ($idx) -}}
 {{- else if eq $key "port" -}}
 {{- printf "--%s %d " $key ($val | int) -}}
 {{- else if has $key $flags -}}
@@ -135,9 +112,174 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
 {{- define "gitea.oauth_settings" -}}
-{{- range $key, $val := .Values.gitea.oauth -}}
+{{- $idx := index . 0 }}
-{{- if ne $key "enabled" -}}
+{{- $values := index . 1 }}
-{{- printf "--%s %s " ($key | kebabcase) ($val | squote) -}}
+
+{{- if not (hasKey $values "key") -}}
+{{- $_ := set $values "key" (printf "${GITEA_OAUTH_KEY_%d}" $idx) -}}
+{{- end -}}
+
+{{- if not (hasKey $values "secret") -}}
+{{- $_ := set $values "secret" (printf "${GITEA_OAUTH_SECRET_%d}" $idx) -}}
+{{- end -}}
+
+{{- range $key, $val := $values -}}
+{{- if ne $key "existingSecret" -}}
+{{- printf "--%s %s " ($key | kebabcase) ($val | quote) -}}
 {{- end -}}
 {{- end -}}
 {{- end -}}
+
+{{- define "gitea.inline_configuration" -}}
+  {{- include "gitea.inline_configuration.init" . -}}
+  {{- include "gitea.inline_configuration.defaults" . -}}
+
+  {{- $generals := list -}}
+  {{- $inlines := dict -}}
+
+  {{- range $key, $value := .Values.gitea.config  }}
+    {{- if kindIs "map" $value }}
+      {{- if gt (len $value) 0 }}
+        {{- $section := default list (get $inlines $key) -}}
+        {{- range $n_key, $n_value := $value }}
+          {{- $section = append $section (printf "%s=%v" $n_key $n_value) -}}
+        {{- end }}
+        {{- $_ := set $inlines $key (join "\n" $section) -}}
+      {{- end -}}
+    {{- else }}
+      {{- if or (eq $key "APP_NAME") (eq $key "RUN_USER") (eq $key "RUN_MODE") -}}
+        {{- $generals = append $generals (printf "%s=%s" $key $value) -}}
+      {{- else -}}
+        {{- (printf "Key %s cannot be on top level of configuration" $key) | fail -}}
+      {{- end -}}
+    {{- end }}
+  {{- end }}
+
+  {{- $_ := set $inlines "_generals_" (join "\n" $generals) -}}
+  {{- toYaml $inlines -}}
+{{- end -}}
+
+{{- define "gitea.inline_configuration.init" -}}
+  {{- if not (hasKey .Values.gitea.config "cache") -}}
+    {{- $_ := set .Values.gitea.config "cache" dict -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config "server") -}}
+    {{- $_ := set .Values.gitea.config "server" dict -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config "metrics") -}}
+    {{- $_ := set .Values.gitea.config "metrics" dict -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config "database") -}}
+    {{- $_ := set .Values.gitea.config "database" dict -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config "security") -}}
+    {{- $_ := set .Values.gitea.config "security" dict -}}
+  {{- end -}}
+  {{- if not .Values.gitea.config.repository -}}
+    {{- $_ := set .Values.gitea.config "repository" dict -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config "oauth2") -}}
+    {{- $_ := set .Values.gitea.config "oauth2" dict -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "gitea.inline_configuration.defaults" -}}
+  {{- include "gitea.inline_configuration.defaults.server" . -}}
+  {{- include "gitea.inline_configuration.defaults.database" . -}}
+
+  {{- if not .Values.gitea.config.repository.ROOT -}}
+    {{- $_ := set .Values.gitea.config.repository "ROOT" "/data/git/gitea-repositories" -}}
+  {{- end -}}
+  {{- if not .Values.gitea.config.security.INSTALL_LOCK -}}
+    {{- $_ := set .Values.gitea.config.security "INSTALL_LOCK" "true" -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}}
+    {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
+  {{- end -}}
+  {{- if .Values.memcached.enabled -}}
+    {{- $_ := set .Values.gitea.config.cache "ENABLED" "true" -}}
+    {{- $_ := set .Values.gitea.config.cache "ADAPTER" "memcache" -}}
+    {{- if not (.Values.gitea.config.cache.HOST) -}}
+      {{- $_ := set .Values.gitea.config.cache "HOST" (include "memcached.dns" .) -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "gitea.inline_configuration.defaults.server" -}}
+  {{- if not (hasKey .Values.gitea.config.server "HTTP_PORT") -}}
+    {{- $_ := set .Values.gitea.config.server "HTTP_PORT" .Values.service.http.port -}}
+  {{- end -}}
+  {{- if not .Values.gitea.config.server.PROTOCOL -}}
+    {{- $_ := set .Values.gitea.config.server "PROTOCOL" "http" -}}
+  {{- end -}}
+  {{- if not (.Values.gitea.config.server.DOMAIN) -}}
+    {{- if gt (len .Values.ingress.hosts) 0 -}}
+      {{- $_ := set .Values.gitea.config.server "DOMAIN" (index .Values.ingress.hosts 0).host -}}
+    {{- else -}}
+      {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}}
+    {{- end -}}
+  {{- end -}}
+  {{- if not .Values.gitea.config.server.ROOT_URL -}}
+    {{- if .Values.ingress.enabled -}}
+      {{- if gt (len .Values.ingress.tls) 0 -}}
+        {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index (index .Values.ingress.tls 0).hosts 0)) -}}
+      {{- else -}}
+        {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index .Values.ingress.hosts 0).host) -}}
+      {{- end -}}
+    {{- else -}}
+      {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL .Values.gitea.config.server.DOMAIN) -}}
+    {{- end -}}
+  {{- end -}}
+  {{- if not .Values.gitea.config.server.SSH_DOMAIN -}}
+    {{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}}
+  {{- end -}}
+  {{- if not .Values.gitea.config.server.SSH_PORT -}}
+    {{- $_ := set .Values.gitea.config.server "SSH_PORT" .Values.service.ssh.port -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config.server "SSH_LISTEN_PORT") -}}
+    {{- if not .Values.image.rootless -}}
+      {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" .Values.gitea.config.server.SSH_PORT -}}
+    {{- else -}}
+      {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" "2222" -}}
+    {{- end -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config.server "START_SSH_SERVER") -}}
+    {{- if .Values.image.rootless -}}
+      {{- $_ := set .Values.gitea.config.server "START_SSH_SERVER" "true" -}}
+    {{- end -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config.server "APP_DATA_PATH") -}}
+    {{- $_ := set .Values.gitea.config.server "APP_DATA_PATH" "/data" -}}
+  {{- end -}}
+  {{- if not (hasKey .Values.gitea.config.server "ENABLE_PPROF") -}}
+    {{- $_ := set .Values.gitea.config.server "ENABLE_PPROF" false -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "gitea.inline_configuration.defaults.database" -}}
+  {{- if .Values.postgresql.enabled -}}
+    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "postgres" -}}
+    {{- if not (.Values.gitea.config.database.HOST) -}}
+      {{- $_ := set .Values.gitea.config.database "HOST"      (include "postgresql.dns" .) -}}
+    {{- end -}}
+    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.postgresql.global.postgresql.postgresqlDatabase -}}
+    {{- $_ := set .Values.gitea.config.database "USER"      .Values.postgresql.global.postgresql.postgresqlUsername -}}
+    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.postgresql.global.postgresql.postgresqlPassword -}}
+  {{- else if .Values.mysql.enabled -}}
+    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "mysql" -}}
+    {{- if not (.Values.gitea.config.database.HOST) -}}
+      {{- $_ := set .Values.gitea.config.database "HOST"      (include "mysql.dns" .) -}}
+    {{- end -}}
+    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.mysql.db.name -}}
+    {{- $_ := set .Values.gitea.config.database "USER"      .Values.mysql.db.user -}}
+    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.mysql.db.password -}}
+  {{- else if .Values.mariadb.enabled -}}
+    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "mysql" -}}
+    {{- if not (.Values.gitea.config.database.HOST) -}}
+      {{- $_ := set .Values.gitea.config.database "HOST"      (include "mariadb.dns" .) -}}
+    {{- end -}}
+    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.mariadb.auth.database -}}
+    {{- $_ := set .Values.gitea.config.database "USER"      .Values.mariadb.auth.username -}}
+    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.mariadb.auth.password -}}
+  {{- end -}}
+{{- end -}}

templates/gitea/config.yaml

@@ -1,148 +1,167 @@
 apiVersion: v1
 kind: Secret
+metadata:
+  name: {{ include "gitea.fullname" . }}-inline-config
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  {{- include "gitea.inline_configuration" . | nindent 2 }}
+---
+apiVersion: v1
+kind: Secret
 metadata:
   name: {{ include "gitea.fullname" . }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 stringData:
-  app.ini: |-
+  config_environment.sh: |-
-    {{- if not (hasKey .Values.gitea.config "cache") -}}
+    #!/usr/bin/env bash
-    {{- $_ := set .Values.gitea.config "cache" dict -}}
+    set -euo pipefail
-    {{- end -}}
 
-    {{- if not (hasKey .Values.gitea.config "server") -}}
+    function env2ini::log() {
-    {{- $_ := set .Values.gitea.config "server" dict -}}
+      printf "${1}\n"
-    {{- end -}}
+    }
 
-    {{- if not (hasKey .Values.gitea.config "metrics") -}}
+    function env2ini::read_config_to_env() {
-    {{- $_ := set .Values.gitea.config "metrics" dict -}}
+      local section="${1}"
-    {{- end -}}
+      local line="${2}"
 
-    {{- if not (hasKey .Values.gitea.config "database") -}}
+      if [[ -z "${line}" ]]; then
-    {{- $_ := set .Values.gitea.config "database" dict -}}
+        # skip empty line
-    {{- end -}}
+        return
+      fi
+      
+      # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
+      local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
 
-    {{- if not (hasKey .Values.gitea.config "security") -}}
+      if [[ -z "${setting}" ]]; then
-    {{- $_ := set .Values.gitea.config "security" dict -}}
+        env2ini::log '  ! invalid setting'
-    {{- end -}}
+        exit 1
+      fi
 
-    {{- if not .Values.gitea.config.repository -}}
+      local value=''
-    {{- $_ := set .Values.gitea.config "repository" dict -}}
+      local regex="^${setting}(\s*)=(\s*)(.*)"
-    {{- end -}}
+      if [[ $line =~ $regex ]]; then
+        value="${BASH_REMATCH[3]}"
+      else
+        env2ini::log '  ! invalid setting'
+        exit 1
+      fi
 
-    {{- /* repository default settings */ -}}
+      env2ini::log "    + '${setting}'"
-    {{- if not .Values.gitea.config.repository.ROOT -}}
-    {{- $_ := set .Values.gitea.config.repository "ROOT" "/data/git/gitea-repositories" -}}
-    {{- end -}}
 
-    {{- /* security default settings */ -}}
+      if [[ -z "${section}" ]]; then
-    {{- if not .Values.gitea.config.security.INSTALL_LOCK -}}
+        export "ENV_TO_INI____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
-    {{- $_ := set .Values.gitea.config.security "INSTALL_LOCK" "true" -}}
+        return
-    {{- end -}}
+      fi
 
-    {{- /* server default settings */ -}}
+      local masked_section="${section//./_0X2E_}"                            # '//' instructs to replace all matches
-    {{- if not (hasKey .Values.gitea.config.server "HTTP_PORT") -}}
+      masked_section="${masked_section//-/_0X2D_}"
-    {{- $_ := set .Values.gitea.config.server "HTTP_PORT" .Values.service.http.port -}}
-    {{- end -}}
-    {{- if not .Values.gitea.config.server.PROTOCOL -}}
-    {{- $_ := set .Values.gitea.config.server "PROTOCOL" "http" -}}
-    {{- end -}}
-    {{- if not (.Values.gitea.config.server.DOMAIN) -}}
-    {{- if gt (len .Values.ingress.hosts) 0 -}}
-    {{- $_ := set .Values.gitea.config.server "DOMAIN" (index .Values.ingress.hosts 0).host -}}
-    {{- else -}}
-    {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}}
-    {{- end -}}
-    {{- end -}}
-    {{- if not .Values.gitea.config.server.ROOT_URL -}}
-    {{- if .Values.ingress.enabled -}}
-    {{- if gt (len .Values.ingress.tls) 0 -}}
-    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index (index .Values.ingress.tls 0).hosts 0)) -}}
-    {{- else -}}
-    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index .Values.ingress.hosts 0).host) -}}
-    {{- end -}}
-    {{- else -}}
-    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL .Values.gitea.config.server.DOMAIN) -}}
-    {{- end -}}
-    {{- end -}}
-    {{- if not .Values.gitea.config.server.SSH_DOMAIN -}}
-    {{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}}
-    {{- end -}}
-    {{- if not .Values.gitea.config.server.SSH_PORT -}}
-    {{- $_ := set .Values.gitea.config.server "SSH_PORT" .Values.service.ssh.port -}}
-    {{- end -}}
-    {{- if not (hasKey .Values.gitea.config.server "SSH_LISTEN_PORT") -}}
-    {{- if not .Values.image.rootless -}}
-    {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" .Values.gitea.config.server.SSH_PORT -}}
-    {{- else -}}
-    {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" "2222" -}}
-    {{- end -}}
-    {{- end -}}
-    {{- if not (hasKey .Values.gitea.config.server "START_SSH_SERVER") -}}
-    {{- if .Values.image.rootless -}}
-    {{- $_ := set .Values.gitea.config.server "START_SSH_SERVER" "true" -}}
-    {{- end -}}
-    {{- end -}}
-    {{- if not (hasKey .Values.gitea.config.server "APP_DATA_PATH") -}}
-    {{- $_ := set .Values.gitea.config.server "APP_DATA_PATH" "/data" -}}
-    {{- end -}}
-    {{- if not (hasKey .Values.gitea.config.server "ENABLE_PPROF") -}}
-    {{- $_ := set .Values.gitea.config.server "ENABLE_PPROF" false -}}
-    {{- end -}}
 
-    {{- /* metrics default settings */ -}}
+      export "ENV_TO_INI__${masked_section^^}__${setting^^}=${value}"        # '^^' makes the variable content uppercase
-    {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}}
+    }
-    {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
-    {{- end -}}
 
-    {{- /* database default settings */ -}}
+    function env2ini::reload_preset_envs() {
-    {{- if .Values.gitea.database.builtIn.postgresql.enabled -}}
+      env2ini::log "Reloading preset envs..."
-    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "postgres" -}}
-    {{- if not (.Values.gitea.config.database.HOST) -}}
-    {{- $_ := set .Values.gitea.config.database "HOST"      (include "postgresql.dns" .) -}}
-    {{- end -}}
-    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.postgresql.global.postgresql.postgresqlDatabase -}}
-    {{- $_ := set .Values.gitea.config.database "USER"      .Values.postgresql.global.postgresql.postgresqlUsername -}}
-    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.postgresql.global.postgresql.postgresqlPassword -}}
-    {{ else if .Values.gitea.database.builtIn.mysql.enabled -}}
-    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "mysql" -}}
-    {{- if not (.Values.gitea.config.database.HOST) -}}
-    {{- $_ := set .Values.gitea.config.database "HOST"      (include "mysql.dns" .) -}}
-    {{- end -}}
-    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.mysql.db.name -}}
-    {{- $_ := set .Values.gitea.config.database "USER"      .Values.mysql.db.user -}}
-    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.mysql.db.password -}}
-    {{ else if .Values.gitea.database.builtIn.mariadb.enabled -}}
-    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "mysql" -}}
-    {{- if not (.Values.gitea.config.database.HOST) -}}
-    {{- $_ := set .Values.gitea.config.database "HOST"      (include "mariadb.dns" .) -}}
-    {{- end -}}
-    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.mariadb.auth.database -}}
-    {{- $_ := set .Values.gitea.config.database "USER"      .Values.mariadb.auth.username -}}
-    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.mariadb.auth.password -}}
-    {{- end -}}
 
-    {{- /* cache default settings */ -}}
+      while read -r line; do
-    {{- if .Values.gitea.cache.builtIn.enabled -}}
+        if [[ -z "${line}" ]]; then
-    {{- $_ := set .Values.gitea.config.cache "ENABLED" "true" -}}
+          # skip empty line
-    {{- $_ := set .Values.gitea.config.cache "ADAPTER" "memcache" -}}
+          return
-    {{- if not (.Values.gitea.config.cache.HOST) -}}
+        fi
-    {{- $_ := set .Values.gitea.config.cache "HOST" (include "memcached.dns" .) -}}
-    {{- end -}}
-    {{- end -}}
 
-    {{- /* autogenerate app.ini */ -}}
+        # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
-    {{- range $key, $value := .Values.gitea.config  }}
+        local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
-    {{- if kindIs "map" $value }}
-    {{- if gt (len $value) 0 }}
 
-    [{{ $key }}]
+        if [[ -z "${setting}" ]]; then
-    {{- range $n_key, $n_value := $value }}
+          env2ini::log '  ! invalid setting'
-    {{ $n_key | upper }} = {{ $n_value }}
+          exit 1
-    {{- end }}
+        fi
-    {{- end }}
+
-    {{- else }}
+        local value=''
-    {{ $key | upper }} = {{ $value }}
+        local regex="^${setting}(\s*)=(\s*)(.*)"
-    {{- end }}
+        if [[ $line =~ $regex ]]; then
-    {{- end }}
+          value="${BASH_REMATCH[3]}"
+        else
+          env2ini::log '  ! invalid setting'
+          exit 1
+        fi
+
+        env2ini::log "  + '${setting}'"
+
+        export "${setting^^}=${value}"                           # '^^' makes the variable content uppercase
+      done < "/tmp/existing-envs"
+
+      rm /tmp/existing-envs
+    }
+
+
+    function env2ini::process_config_file() {
+      local config_file="${1}"
+      local section="$(basename "${config_file}")"
+
+      if [[ $section == '_generals_' ]]; then
+        env2ini::log "  [ini root]"
+        section=''
+      else
+        env2ini::log "  ${section}"
+      fi
+
+      while read -r line; do
+        env2ini::read_config_to_env "${section}" "${line}"
+      done < <(awk 1 "${config_file}")                             # Helm .toYaml trims the trailing new line which breaks line processing; awk 1 ... adds it back while reading
+    }
+
+    function env2ini::load_config_sources() {
+      local path="${1}"
+
+      env2ini::log "Processing $(basename "${path}")..."
+
+      while read -d '' configFile; do
+        env2ini::process_config_file "${configFile}"
+      done < <(find "${path}" -type l -not -name '..data' -print0)
+
+      env2ini::log "\n"
+    }
+
+    function env2ini::generate_initial_secrets() {
+      # These environment variables will either be
+      #   - overwritten with user defined values,
+      #   - initially used to set up Gitea
+      # Anyway, they won't harm existing app.ini files
+
+      export ENV_TO_INI__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
+      export ENV_TO_INI__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
+      export ENV_TO_INI__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
+
+      env2ini::log "...Initial secrets generated\n"
+    }
+
+    env | (grep ENV_TO_INI || [[ $? == 1 ]]) > /tmp/existing-envs
+    
+    # MUST BE CALLED BEFORE OTHER CONFIGURATION
+    env2ini::generate_initial_secrets
+
+    env2ini::load_config_sources '/env-to-ini-mounts/inlines/'
+    env2ini::load_config_sources '/env-to-ini-mounts/additionals/'
+
+    # load existing envs to override auto generated envs
+    env2ini::reload_preset_envs
+
+    env2ini::log "=== All configuration sources loaded ===\n"
+
+    # safety to prevent rewrite of secret keys if an app.ini already exists
+    if [ -f ${GITEA_APP_INI} ]; then
+      env2ini::log 'An app.ini file already exists. To prevent overwriting secret keys, these settings are dropped and remain unchanged:'
+      env2ini::log '  - security.INTERNAL_TOKEN'
+      env2ini::log '  - security.SECRET_KEY'
+      env2ini::log '  - oauth2.JWT_SECRET'
+
+      unset ENV_TO_INI__SECURITY__INTERNAL_TOKEN
+      unset ENV_TO_INI__SECURITY__SECRET_KEY
+      unset ENV_TO_INI__OAUTH2__JWT_SECRET
+    fi
+
+    environment-to-ini -o $GITEA_APP_INI -p ENV_TO_INI

templates/gitea/deprecation.yaml

@@ -0,0 +1,34 @@
+{{- if .Values.checkDeprecation -}}
+  {{/* CUSTOM PROBES */}}
+  {{- if .Values.gitea.customLivenessProbe -}}
+    {{- fail "`gitea.customLivenessProbe` does no longer exist. Please refer to the changelog and configure `gitea.livenessProbe` instead." -}}
+  {{- end -}}
+  {{- if .Values.gitea.customReadinessProbe -}}
+    {{- fail "`gitea.customReadinessProbe` does no longer exist. Please refer to the changelog and configure `gitea.readinessProbe` instead." -}}
+  {{- end -}}
+  {{- if .Values.gitea.customStartupProbe -}}
+    {{- fail "`gitea.customStartupProbe` does no longer exist. Please refer to the changelog and configure `gitea.startupProbe` instead." -}}
+  {{- end -}}
+
+  {{/* LDAP SOURCES */}}
+  {{- if kindIs "map" .Values.gitea.ldap -}}
+    {{- fail "You can configure multiple LDAP sources. Please refer to the changelog and switch `gitea.ldap` from object to array notation." -}}
+  {{- end -}}
+  
+  {{/* OAUTH SOURCES */}}
+  {{- if kindIs "map" .Values.gitea.oauth -}}
+    {{- fail "You can configure multiple OAuth sources. Please refer to the changelog and switch `gitea.oauth` from object to array notation." -}}
+  {{- end -}}
+  
+  {{/* BUILTIN */}}
+  {{- if .Values.gitea.cache -}}
+    {{- if .Values.gitea.cache.builtIn -}}
+      {{- fail "`gitea.cache.builtIn` does no longer exist. Please use `memcached` at root level instead." -}}
+    {{- end -}}
+  {{- end -}}
+  {{- if .Values.gitea.database -}}
+    {{- if .Values.gitea.database.builtIn -}}
+      {{- fail "`gitea.database.builtIn` does no longer exist. Builtin databases can be configured inside the dependencies itself. Please refer to the changelog." -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}

templates/gitea/http-svc.yaml

@@ -21,6 +21,13 @@ spec:
   externalIPs:
     {{- toYaml .Values.service.http.externalIPs | nindent 4 }}
   {{- end }}
+  {{- if .Values.service.http.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.service.http.ipFamilyPolicy }}
+  {{- end }}
+  {{- with .Values.service.http.ipFamilies }}
+  ipFamilies:
+  {{- toYaml . | nindent 4 }}
+  {{- end -}}
   {{- if .Values.service.http.externalTrafficPolicy }}
   externalTrafficPolicy: {{ .Values.service.http.externalTrafficPolicy }}
   {{- end }}

templates/gitea/ingress.yaml

@@ -1,13 +1,15 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "gitea.fullname" . -}}
 {{- $httpPort := .Values.service.http.port -}}
-{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}}
+{{- $apiVersion := "extensions/v1beta1" -}}
-apiVersion: networking.k8s.io/v1
+{{- if .Values.ingress.apiVersion -}}
+{{- $apiVersion = .Values.ingress.apiVersion -}}
+{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}}
+{{- $apiVersion = "networking.k8s.io/v1" }}
 {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" -}}
-apiVersion: networking.k8s.io/v1beta1
+{{- $apiVersion = "networking.k8s.io/v1beta1" }}
-{{- else -}}
-apiVersion: extensions/v1beta1
 {{- end }}
+apiVersion: {{ $apiVersion }}
 kind: Ingress
 metadata:
   name: {{ $fullName }}
@@ -18,6 +20,9 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
+{{- if .Values.ingress.className }}
+  ingressClassName: {{ .Values.ingress.className }}
+{{- end }}
 {{- if .Values.ingress.tls }}
   tls:
   {{- range .Values.ingress.tls }}
@@ -35,11 +40,11 @@ spec:
         paths:
           {{- range .paths }}
           - path: {{ .path }}
-            {{- if and .pathType ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }}
+            {{- if and .pathType (eq $apiVersion "networking.k8s.io/v1") }}
             pathType: {{ .pathType }}
             {{- end }}
             backend:
-            {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+            {{- if eq $apiVersion "networking.k8s.io/v1" }}
               service:
                 name: {{ $fullName }}-http
                 port:

templates/gitea/init.yaml

@@ -26,46 +26,29 @@ stringData:
     {{- end }}
     mkdir -p /data/git/.ssh
     chmod -R 700 /data/git/.ssh
-    mkdir -p /data/gitea/conf
+    [ ! -d /data/gitea ] && mkdir -p /data/gitea/conf
 
     # prepare temp directory structure
     mkdir -p "${GITEA_TEMP}"
+    {{- if not .Values.image.rootless }}
     chown 1000:1000 "${GITEA_TEMP}"
+    {{- end }}
     chmod ug+rwx "${GITEA_TEMP}"
 
-    # Copy config file to writable volume
-    cp /etc/gitea/conf/app.ini /data/gitea/conf/app.ini
-    chmod a+rwx /data/gitea/conf/app.ini
   configure_gitea.sh: |-
     #!/usr/bin/env bash
 
     set -euo pipefail
 
-    {{- if include "db.servicename" . }}
-    # Connection retry inspired by https://gist.github.com/dublx/e99ea94858c07d2ca6de
-    function test_db_connection() {
-      local RETRY=0
-      local MAX=30
-
-      echo 'Wait for database to become avialable...'
-      until [ "${RETRY}" -ge "${MAX}" ]; do
-        nc -vz -w2 {{ include "db.servicename" . }} {{ include "db.port" . }} && break
-        RETRY=$[${RETRY}+1]
-        echo "...not ready yet (${RETRY}/${MAX})"
-      done
-
-      if [ "${RETRY}" -ge "${MAX}" ]; then
-        echo "Database not reachable after '${MAX}' attempts!"
-        exit 1
-      fi
-    }
-
-    test_db_connection
-    {{- end }}
-
     echo '==== BEGIN GITEA CONFIGURATION ===='
 
-    gitea migrate
+    { # try
+      gitea migrate
+    } || { # catch
+      echo "Gitea migrate might fail due to database connection...This init-container will try again in a few seconds"
+      exit 1
+    }
+    
 
     {{- if or .Values.gitea.admin.existingSecret (and .Values.gitea.admin.username .Values.gitea.admin.password) }}
     function configure_admin_user() {
@@ -84,42 +67,50 @@ stringData:
     configure_admin_user
     {{- end }}
 
-    {{- if .Values.gitea.ldap.enabled }}
     function configure_ldap() {
-      local LDAP_NAME={{ (printf "%s" .Values.gitea.ldap.name) | squote }}
+      {{- if .Values.gitea.ldap }}
+      {{- range $idx, $value := .Values.gitea.ldap }}
+      local LDAP_NAME={{ (printf "%s" $value.name) | squote }}
       local GITEA_AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${LDAP_NAME}\s+\|" | grep -iE '\|LDAP \(via BindDN\)\s+\|' | awk -F " "  "{print \$1}")
 
       if [[ -z "${GITEA_AUTH_ID}" ]]; then
         echo "No ldap configuration found with name '${LDAP_NAME}'. Installing it now..."
-        gitea admin auth add-ldap {{- include "gitea.ldap_settings" . | indent 1 }}
+        gitea admin auth add-ldap {{- include "gitea.ldap_settings" (list $idx $value) | indent 1 }}
         echo '...installed.'
       else
         echo "Existing ldap configuration with name '${LDAP_NAME}': '${GITEA_AUTH_ID}'. Running update to sync settings..."
-        gitea admin auth update-ldap --id "${GITEA_AUTH_ID}" {{- include "gitea.ldap_settings" . | indent 1 }}
+        gitea admin auth update-ldap --id "${GITEA_AUTH_ID}" {{- include "gitea.ldap_settings" (list $idx $value) | indent 1 }}
         echo '...sync settings done.'
       fi
+      {{- end }}
+      {{- else }}
+        echo 'no ldap configuration... skipping.'
+      {{- end }}
     }
 
     configure_ldap
-    {{- end }}
 
-    {{- if .Values.gitea.oauth.enabled }}
     function configure_oauth() {
-      local OAUTH_NAME={{ (printf "%s" .Values.gitea.oauth.name) | squote }}
+      {{- if .Values.gitea.oauth }}
+      {{- range $idx, $value := .Values.gitea.oauth }}
+      local OAUTH_NAME={{ (printf "%s" $value.name) | squote }}
       local AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " "  "{print \$1}")
 
       if [[ -z "${AUTH_ID}" ]]; then
         echo "No oauth configuration found with name '${OAUTH_NAME}'. Installing it now..."
-        gitea admin auth add-oauth {{- include "gitea.oauth_settings" . | indent 1 }}
+        gitea admin auth add-oauth {{- include "gitea.oauth_settings" (list $idx $value) | indent 1 }}
         echo '...installed.'
       else
         echo "Existing oauth configuration with name '${OAUTH_NAME}': '${AUTH_ID}'. Running update to sync settings..."
-        gitea admin auth update-oauth --id "${AUTH_ID}" {{- include "gitea.oauth_settings" . | indent 1 }}
+        gitea admin auth update-oauth --id "${AUTH_ID}" {{- include "gitea.oauth_settings" (list $idx $value) | indent 1 }}
         echo '...sync settings done.'
       fi
+      {{- end }}
+      {{- else }}
+        echo 'no oauth configuration... skipping.'
+      {{- end }}
     }
 
     configure_oauth
-    {{- end }}
 
     echo '==== END GITEA CONFIGURATION ===='

templates/gitea/ssh-svc.yaml

@@ -26,6 +26,13 @@ spec:
   externalIPs:
     {{- toYaml .Values.service.ssh.externalIPs | nindent 4 }}
   {{- end }}
+  {{- if .Values.service.ssh.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.service.ssh.ipFamilyPolicy }}
+  {{- end }}
+  {{- with .Values.service.ssh.ipFamilies }}
+  ipFamilies:
+  {{- toYaml . | nindent 4 }}
+  {{- end -}}
   {{- if .Values.service.ssh.externalTrafficPolicy }}
   externalTrafficPolicy: {{ .Values.service.ssh.externalTrafficPolicy }}
   {{- end }}

templates/gitea/statefulset.yaml

@@ -2,6 +2,10 @@ apiVersion: apps/v1
 kind: StatefulSet
 metadata:
   name: {{ include "gitea.fullname" . }}
+  annotations:
+    {{- if .Values.statefulset.annotations }}
+    {{- toYaml .Values.statefulset.annotations | nindent 4 }}
+    {{- end }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 spec:
@@ -17,8 +21,12 @@ spec:
     metadata:
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/gitea/config.yaml") . | sha256sum }}
-        checksum/ldap: {{ include "gitea.ldap_settings" . | sha256sum }}
+        {{- range $idx, $value := .Values.gitea.ldap }}
-        checksum/oauth: {{ include "gitea.oauth_settings" . | sha256sum }}
+        checksum/ldap_{{ $idx }}: {{ include "gitea.ldap_settings" (list $idx $value) | sha256sum }}
+        {{- end }}
+        {{- range $idx, $value := .Values.gitea.oauth }}
+        checksum/oauth_{{ $idx }}: {{ include "gitea.oauth_settings" (list $idx $value) | sha256sum }}
+        {{- end }}
         {{- with .Values.gitea.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -36,10 +44,11 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       securityContext:
-        fsGroup: 1000
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
       initContainers:
         - name: init-directories
           image: "{{ include "gitea.image" . }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
           command: ["/usr/sbin/init_directory_structure.sh"]
           env:
             - name: GITEA_APP_INI
@@ -58,18 +67,20 @@ spec:
               mountPath: /usr/sbin
             - name: temp
               mountPath: /tmp
-            - name: config
-              mountPath: /etc/gitea/conf
             - name: data
               mountPath: /data
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
             {{- if .Values.extraVolumeMounts }}
             {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
             {{- end }}
-        - name: configure-gitea
-          image: "{{ include "gitea.image" . }}"
-          command: ["/usr/sbin/configure_gitea.sh"]
           securityContext:
-            runAsUser: 1000
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+        - name: init-app-ini
+          image: "{{ include "gitea.image" . }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command: ["/usr/sbin/config_environment.sh"]
           env:
             - name: GITEA_APP_INI
               value: /data/gitea/conf/app.ini
@@ -79,23 +90,88 @@ spec:
               value: /data
             - name: GITEA_TEMP
               value: /tmp/gitea
-            {{- if .Values.gitea.ldap.enabled }}
+            {{- if .Values.statefulset.env }}
-            {{- if .Values.gitea.ldap.existingSecret }}
+            {{- toYaml .Values.statefulset.env | nindent 12 }}
-            - name: GITEA_LDAP_BIND_DN
+            {{- end }}
+            {{- if .Values.gitea.additionalConfigFromEnvs }}
+            {{- toYaml .Values.gitea.additionalConfigFromEnvs | nindent 12 }}
+            {{- end }}
+          volumeMounts:
+            - name: config
+              mountPath: /usr/sbin
+            - name: temp
+              mountPath: /tmp
+            - name: data
+              mountPath: /data
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
+            - name: inline-config-sources
+              mountPath: /env-to-ini-mounts/inlines/
+            {{- range $idx, $value := .Values.gitea.additionalConfigSources }}
+            - name: additional-config-sources-{{ $idx }}
+              mountPath: "/env-to-ini-mounts/additionals/{{ $idx }}/"
+            {{- end }}
+            {{- if .Values.extraVolumeMounts }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- end }}
+          securityContext:
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+        - name: configure-gitea
+          image: "{{ include "gitea.image" . }}"
+          command: ["/usr/sbin/configure_gitea.sh"]
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            {{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
+            {{- $csc := deepCopy .Values.containerSecurityContext -}}
+            {{- if not (hasKey $csc "runAsUser") -}}
+            {{- $_ := set $csc "runAsUser" 1000 -}}
+            {{- end -}}
+            {{- toYaml $csc | nindent 12 }}
+          env:
+            - name: GITEA_APP_INI
+              value: /data/gitea/conf/app.ini
+            - name: GITEA_CUSTOM
+              value: /data/gitea
+            - name: GITEA_WORK_DIR
+              value: /data
+            - name: GITEA_TEMP
+              value: /tmp/gitea
+            {{- if .Values.gitea.ldap }}
+            {{- range $idx, $value := .Values.gitea.ldap }}
+            {{- if $value.existingSecret }}
+            - name: GITEA_LDAP_BIND_DN_{{ $idx }}
               valueFrom:
                 secretKeyRef:
                   key:  bindDn
-                  name: {{ .Values.gitea.ldap.existingSecret }}
+                  name: {{ $value.existingSecret }}
-            - name: GITEA_LDAP_PASSWORD
+            - name: GITEA_LDAP_PASSWORD_{{ $idx }}
               valueFrom:
                 secretKeyRef:
                   key:  bindPassword
-                  name: {{ .Values.gitea.ldap.existingSecret }}
+                  name: {{ $value.existingSecret }}
             {{- else }}
-            - name: GITEA_LDAP_BIND_DN
+            - name: GITEA_LDAP_BIND_DN_{{ $idx }}
-              value: {{ .Values.gitea.ldap.bindDn | quote }}
+              value: {{ $value.bindDn | quote }}
-            - name: GITEA_LDAP_PASSWORD
+            - name: GITEA_LDAP_PASSWORD_{{ $idx }}
-              value: {{ .Values.gitea.ldap.bindPassword | quote }}
+              value: {{ $value.bindPassword | quote }}
+            {{- end }}
+            {{- end }}
+            {{- end }}
+            {{- if .Values.gitea.oauth }}
+            {{- range $idx, $value := .Values.gitea.oauth }}
+            {{- if $value.existingSecret }}
+            - name: GITEA_OAUTH_KEY_{{ $idx }}
+              valueFrom:
+                secretKeyRef:
+                  key:  key
+                  name: {{ $value.existingSecret }}
+            - name: GITEA_OAUTH_SECRET_{{ $idx }}
+              valueFrom:
+                secretKeyRef:
+                  key:  secret
+                  name: {{ $value.existingSecret }}
+            {{- end }}
             {{- end }}
             {{- end }}
             {{- if .Values.gitea.admin.existingSecret }}
@@ -125,6 +201,9 @@ spec:
               mountPath: /tmp
             - name: data
               mountPath: /data
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
             {{- if .Values.extraVolumeMounts }}
             {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
             {{- end }}
@@ -159,60 +238,44 @@ spec:
           ports:
             - name: ssh
               containerPort: {{ .Values.gitea.config.server.SSH_LISTEN_PORT }}
+            {{- if .Values.service.ssh.hostPort }}
+              hostPort: {{ .Values.service.ssh.hostPort }}
+            {{- end }}
             - name: http
               containerPort: {{ .Values.gitea.config.server.HTTP_PORT }}
             {{- if .Values.gitea.config.server.ENABLE_PPROF }}
             - name: profiler
               containerPort: 6060
             {{- end }}
-          {{- if .Values.gitea.livenessProbe.enabled }}
+          {{- if .Values.gitea.livenessProbe }}
           livenessProbe:
-            tcpSocket:
+            {{- toYaml .Values.gitea.livenessProbe | nindent 12 }}
-              port: http
-            initialDelaySeconds: {{ .Values.gitea.livenessProbe.initialDelaySeconds }}
-            periodSeconds: {{ .Values.gitea.livenessProbe.periodSeconds }}
-            timeoutSeconds: {{ .Values.gitea.livenessProbe.timeoutSeconds }}
-            successThreshold: {{ .Values.gitea.livenessProbe.successThreshold }}
-            failureThreshold: {{ .Values.gitea.livenessProbe.failureThreshold }}
-          {{- else if .Values.gitea.customLivenessProbe }}
-          livenessProbe:
-            {{- toYaml .Values.gitea.customLivenessProbe | nindent 12 }}
           {{- end }}
-          {{- if .Values.gitea.readinessProbe.enabled }}
+          {{- if .Values.gitea.readinessProbe }}
           readinessProbe:
-            tcpSocket:
+            {{- toYaml .Values.gitea.readinessProbe | nindent 12 }}
-              port: http
-            initialDelaySeconds: {{ .Values.gitea.readinessProbe.initialDelaySeconds }}
-            periodSeconds: {{ .Values.gitea.readinessProbe.periodSeconds }}
-            timeoutSeconds: {{ .Values.gitea.readinessProbe.timeoutSeconds }}
-            successThreshold: {{ .Values.gitea.readinessProbe.successThreshold }}
-            failureThreshold: {{ .Values.gitea.readinessProbe.failureThreshold }}
-          {{- else if .Values.gitea.customReadinessProbe }}
-          readinessProbe:
-            {{- toYaml .Values.gitea.customReadinessProbe | nindent 12 }}
           {{- end }}
-          {{- if .Values.gitea.startupProbe.enabled }}
+          {{- if .Values.gitea.startupProbe }}
           startupProbe:
-            tcpSocket:
+            {{- toYaml .Values.gitea.startupProbe | nindent 12 }}
-              port: http
-            initialDelaySeconds: {{ .Values.gitea.startupProbe.initialDelaySeconds }}
-            periodSeconds: {{ .Values.gitea.startupProbe.periodSeconds }}
-            timeoutSeconds: {{ .Values.gitea.startupProbe.timeoutSeconds }}
-            successThreshold: {{ .Values.gitea.startupProbe.successThreshold }}
-            failureThreshold: {{ .Values.gitea.startupProbe.failureThreshold }}
-          {{- else if .Values.gitea.customStartupProbe }}
-          startupProbe:
-            {{- toYaml .Values.gitea.customStartupProbe | nindent 12 }}
           {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            {{- /* Honor the deprecated securityContext variable when defined */ -}}
+            {{- if .Values.containerSecurityContext -}}
+            {{ toYaml .Values.containerSecurityContext | nindent 12 -}}
+            {{- else -}}
+            {{ toYaml .Values.securityContext | nindent 12 -}}
+            {{- end }}
           volumeMounts:
             - name: temp
               mountPath: /tmp
             - name: data
               mountPath: /data
+              {{- if .Values.persistence.subPath }}
+              subPath: {{ .Values.persistence.subPath }}
+              {{- end }}
             {{- if .Values.extraVolumeMounts }}
             {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
             {{- end }}
@@ -232,19 +295,29 @@ spec:
         - name: init
           secret:
             secretName: {{ include "gitea.fullname" . }}-init
-            defaultMode: 0777
+            defaultMode: 110
         - name: config
           secret:
             secretName: {{ include "gitea.fullname" . }}
+            defaultMode: 110
         {{- if .Values.extraVolumes }}
         {{- toYaml .Values.extraVolumes | nindent 8 }}
         {{- end }}
+        - name: inline-config-sources
+          secret:
+            secretName: {{ include "gitea.fullname" . }}-inline-config
+        {{- range $idx, $value := .Values.gitea.additionalConfigSources }}
+        - name: additional-config-sources-{{ $idx }}
+          {{- toYaml $value | nindent 10 }}
+        {{- end }}
         - name: temp
           emptyDir: {}
   {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
         - name: data
           persistentVolumeClaim:
-            claimName: {{ .Values.persistence.existingClaim }}
+  {{- with .Values.persistence.existingClaim }}
+            claimName: {{ tpl . $ }}
+  {{- end }}
   {{- else if not .Values.persistence.enabled }}
         - name: data
           emptyDir: {}

values.yaml

@@ -8,14 +8,18 @@ clusterDomain: cluster.local
 
 image:
   repository: gitea/gitea
-  tag: 1.14.3
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: ""
   pullPolicy: Always
   rootless: false # only possible when running 1.14 or later
 
 imagePullSecrets: []
 
-# only usable with rootless image due to image design
+# Security context is only usable with rootless image due to image design
-securityContext: {}
+podSecurityContext:
+  fsGroup: 1000
+
+containerSecurityContext: {}
 #   allowPrivilegeEscalation: false
 #   capabilities:
 #     drop:
@@ -33,6 +37,11 @@ securityContext: {}
 #   runAsNonRoot: true
 #   runAsUser: 1000
 
+# DEPRECATED. The securityContext variable has been split two:
+# - containerSecurityContext
+# - podSecurityContext.
+securityContext: {}
+
 service:
   http:
     type: ClusterIP
@@ -42,6 +51,8 @@ service:
     #nodePort:
     #externalTrafficPolicy:
     #externalIPs:
+    #ipFamilyPolicy:
+    #ipFamilies:
     loadBalancerSourceRanges: []
     annotations:
   ssh:
@@ -52,11 +63,15 @@ service:
     #nodePort:
     #externalTrafficPolicy:
     #externalIPs:
+    #ipFamilyPolicy:
+    #ipFamilies:
+    #hostPort:
     loadBalancerSourceRanges: []
     annotations:
 
 ingress:
   enabled: false
+  # className: nginx
   annotations: {}
     # kubernetes.io/ingress.class: nginx
     # kubernetes.io/tls-acme: "true"
@@ -69,6 +84,9 @@ ingress:
   #  - secretName: chart-example-tls
   #    hosts:
   #      - git.example.com
+  # Mostly for argocd or any other CI that uses `helm template | kubectl apply` or similar
+  # If helm doesn't correctly detect your ingress API version you can set it here.
+  # apiVersion: networking.k8s.io/v1
 
 resources: {}
   # We usually recommend not to specify default resources and to leave this as a conscious
@@ -99,6 +117,7 @@ statefulset:
     #   value: my-value
   terminationGracePeriodSeconds: 60
   labels: {}
+  annotations: {}
 
 persistence:
   enabled: true
@@ -109,6 +128,7 @@ persistence:
   labels: {}
   annotations: {}
   # storageClass:
+  # subPath:
 
 # additional volumes to add to the Gitea statefulset.
 extraVolumes:
@@ -153,34 +173,34 @@ gitea:
       #  additionalLabels:
       #    prometheus-release: prom1
 
-  ldap:
+  ldap: []
-    enabled: false
+    # - name: "LDAP 1"
-    #existingSecret: gitea-ldap-secret
+    #  existingSecret:
-    #name:
+    #  securityProtocol:
-    #securityProtocol:
+    #  host:
-    #host:
+    #  port:
-    #port:
+    #  userSearchBase:
-    #userSearchBase:
+    #  userFilter:
-    #userFilter:
+    #  adminFilter:
-    #adminFilter:
+    #  emailAttribute:
-    #emailAttribute:
+    #  bindDn:
-    #bindDn:
+    #  bindPassword:
-    #bindPassword:
+    #  usernameAttribute:
-    #usernameAttribute:
+    #  publicSSHKeyAttribute:
-    #sshPublicKeyAttribute:
 
-  oauth:
+  # Either specify inline `key` and `secret` or refer to them via `existingSecret`
-    enabled: false
+  oauth: []
-    #name:
+    # - name: 'OAuth 1'
-    #provider:
+    #   provider:
-    #key:
+    #   key:
-    #secret:
+    #   secret:
-    #autoDiscoverUrl:
+    #   existingSecret:
-    #useCustomUrls:
+    #   autoDiscoverUrl:
-    #customAuthUrl:
+    #   useCustomUrls:
-    #customTokenUrl:
+    #   customAuthUrl:
-    #customProfileUrl:
+    #   customTokenUrl:
-    #customEmailUrl:
+    #   customProfileUrl:
+    #   customEmailUrl:
 
   config: {}
   #  APP_NAME: "Gitea: Git with a cup of tea"
@@ -192,73 +212,53 @@ gitea:
   #  security:
   #    PASSWORD_COMPLEXITY: spec
 
+  additionalConfigSources: []
+  #   - secret:
+  #       secretName: gitea-app-ini-oauth
+  #   - configMap:
+  #       name: gitea-app-ini-plaintext
+
+  additionalConfigFromEnvs: []
+
   podAnnotations: {}
 
-  database:
+  # Modify the liveness probe for your needs or completely disable it by commenting out.
-    builtIn:
-      postgresql:
-        enabled: true
-      mysql:
-        enabled: false
-      mariadb:
-        enabled: false
-
-  cache:
-    builtIn:
-      enabled: true
-
   livenessProbe:
-    enabled: true
+    tcpSocket:
+      port: http
     initialDelaySeconds: 200
     timeoutSeconds: 1
     periodSeconds: 10
     successThreshold: 1
     failureThreshold: 10
+
+  # Modify the readiness probe for your needs or completely disable it by commenting out.
   readinessProbe:
-    enabled: true
+    tcpSocket:
+      port: http
     initialDelaySeconds: 5
     timeoutSeconds: 1
     periodSeconds: 10
     successThreshold: 1
     failureThreshold: 3
-  startupProbe:
-    enabled: false
-    initialDelaySeconds: 60
-    timeoutSeconds: 1
-    periodSeconds: 10
-    successThreshold: 1
-    failureThreshold: 10
 
-  # customLivenessProbe:
+  # # Uncomment the startup probe to enable and modify it for your needs.
-  #   httpGet:
+  # startupProbe:
-  #     path: /user/login
+  #   tcpSocket:
-  #     port: http
-  #   initialDelaySeconds: 60
-  #   periodSeconds: 10
-  #   successThreshold: 1
-  #   failureThreshold: 10
-  # customReadinessProbe:
-  #   httpGet:
-  #     path: /user/login
-  #     port: http
-  #   initialDelaySeconds: 5
-  #   periodSeconds: 10
-  #   successThreshold: 1
-  #   failureThreshold: 3
-  # customStartupProbe:
-  #   httpGet:
-  #     path: /user/login
   #     port: http
   #   initialDelaySeconds: 60
+  #   timeoutSeconds: 1
   #   periodSeconds: 10
   #   successThreshold: 1
   #   failureThreshold: 10
 
 memcached:
+  enabled: true
   service:
     port: 11211
 
 postgresql:
+  enabled: true
   global:
     postgresql:
       postgresqlDatabase: gitea
@@ -269,6 +269,7 @@ postgresql:
     size: 10Gi
 
 mysql:
+  enabled: false
   root:
     password: gitea
   db:
@@ -281,6 +282,7 @@ mysql:
     size: 10Gi
 
 mariadb:
+  enabled: false
   auth:
     database: gitea
     username: gitea
@@ -291,3 +293,7 @@ mariadb:
       port: 3306
     persistence:
       size: 10Gi
+
+# By default, removed or moved settings that still remain in a user defined values.yaml will cause Helm to fail running the install/update.
+# Set it to false to skip this basic validation check.
+checkDeprecation: true