Fix aws secrets (#438)

@lunny

It still looks like that the IAM user does not have enough permissions for the S3 sync operation.

Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/438
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: pat-s <patrick.schratz@gmail.com>
Co-committed-by: pat-s <patrick.schratz@gmail.com>

.drone.yml

@@ -8,97 +8,40 @@ platform:
   arch: arm64
 
 steps:
-- name: helm lint
+  - name: helm lint
-  pull: always
+    pull: always
-  image: alpine:3.17
+    image: alpine:3.17
-  commands:
+    commands:
-  - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
+      - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
-  - helm lint
+      - helm lint
 
-- name: helm template
+  - name: helm template
-  pull: always
+    pull: always
-  image: alpine:3.17
+    image: alpine:3.17
-  commands:
+    commands:
-  - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
+      - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
-  - helm dependency update
+      - helm dependency update
-  - helm template --debug gitea-helm .
+      - helm template --debug gitea-helm .
 
-- name: helm unittests
+  - name: helm unittests
-  pull: always
+    pull: always
-  image: alpine:3.17
+    image: alpine:3.17
-  commands:
+    commands:
-  - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing make helm git bash
+      - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing make helm git bash
-  - helm plugin install https://github.com/helm-unittest/helm-unittest
+      - helm plugin install --version 0.3.1 https://github.com/helm-unittest/helm-unittest
-  - helm dependency update
+      - helm dependency update
-  - make unittests
+      - make unittests
 
-- name: verify readme
+  - name: verify readme
-  pull: always
+    pull: always
-  image: alpine:3.17
+    image: alpine:3.17
-  commands:
+    commands:
-  - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing make npm git
+      - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing make npm git
-  - make readme
+      - make readme
-  - git diff --exit-code --name-only README.md
+      - git diff --exit-code --name-only README.md
 
-- name: discord
+  - name: yaml lint
-  pull: always
+    pull: always
-  image: appleboy/drone-discord:1.2.4
+    image: cytopia/yamllint:alpine-1
-  environment:
+    commands:
-    DISCORD_WEBHOOK_ID:
+      - yamllint -f colored .
-      from_secret: discord_webhook_id
-    DISCORD_WEBHOOK_TOKEN:
-      from_secret: discord_webhook_token
-  when:
-    status:
-    - changed
-    - failure
-
-
----
-kind: pipeline
-type: docker
-name: release-version
-
-platform:
-  os: linux
-  arch: arm64
-
-trigger:
-  event:
-  - tag
-
-steps:
-- name: generate-chart
-  pull: always
-  image: alpine:3.17
-  commands:
-    - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
-    - apk add --no-cache curl
-    - helm dependency update
-    - helm package --version "${DRONE_TAG##v}" ./
-    - mkdir gitea
-    - mv gitea*.tgz gitea/
-    - curl -L -o gitea/index.yaml https://dl.gitea.io/charts/index.yaml
-    - helm repo index gitea/ --url https://dl.gitea.io/charts --merge gitea/index.yaml
-
-- name: upload-chart
-  pull: always
-  image: plugins/s3:latest
-  settings:
-    acl:
-      from_secret: aws_s3_acl
-    region:
-      from_secret: aws_s3_region
-    bucket:
-      from_secret: aws_s3_bucket
-    endpoint:
-      from_secret: aws_s3_endpoint
-    path_style:
-      from_secret: aws_s3_path_style
-    access_key:
-      from_secret: aws_access_key_id
-    secret_key:
-      from_secret: aws_secret_access_key
-    source: gitea/*
-    target: /charts
-    strip_prefix: gitea/

.gitea/workflows/release-version.yml

@@ -0,0 +1,42 @@
+name: generate-chart
+
+on:
+  push:
+    tags:
+      - "*"
+
+jobs:
+  generate-chart-publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: install tools
+        run: |
+          apt update -y
+          apt install -y curl
+          curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null
+          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list
+          apt update -y
+          apt install -y python helm python3-pip apt-transport-https
+          pip install awscli
+      - name: package chart
+        run: |
+          helm dependency update
+          helm package --version "${GITHUB_REF#refs/tags/v}" ./
+          mkdir gitea
+          mv gitea*.tgz gitea/
+          curl -L -o gitea/index.yaml https://dl.gitea.com/charts/index.yaml
+          helm repo index gitea/ --url https://dl.gitea.io/charts --merge gitea/index.yaml
+      - name: aws credential configure
+        uses: https://github.com/aws-actions/configure-aws-credentials@v2
+        with:
+          aws-access-key-id: ${{ secrets.AWS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ secrets.AWS_REGION }}
+      - name: install aws cli
+        run: |
+          apt update -y &&
+          pip install awscli
+      - name: Copy files to S3 and clear cache
+        run: |
+          aws s3 sync gitea/ s3://${{ secrets.AWS_S3_BUCKET}}/charts/

.markdownlint.yaml

@@ -129,12 +129,12 @@ MD041:
 MD044:
   # List of proper names
   names:
-  - Gitea
+    - Gitea
-  - PostgreSQL
+    - PostgreSQL
-  - Memcached
+    - Memcached
-  - Prometheus
+    - Prometheus
-  - Git
+    - Git
-  - GitOps
+    - GitOps
   # Include code blocks
   code_blocks: false
 

.markdownlintignore

@@ -1,3 +1,4 @@
 .gitea/
 node_modules/
 charts/
+Chart.lock

.prettierignore

@@ -0,0 +1 @@
+Chart.lock

.yamllint

@@ -0,0 +1,20 @@
+---
+extends: default
+
+ignore: |
+  .yamllint
+  node_modules
+  templates
+
+
+rules:
+  truthy:
+    allowed-values: ['true', 'false']
+    check-keys: False
+    level: error
+  line-length: disable
+  document-start: disable
+  comments:
+    min-spaces-from-content: 1
+  braces:
+    max-spaces-inside: 2

Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: memcached
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 6.3.7
+  version: 6.3.13
 - name: postgresql
   repository: oci://registry-1.docker.io/bitnamicharts
   version: 12.2.6
-digest: sha256:c2026881f71eca24c72e9da3e798a1ad2a5af8e86a39a5341015584eaacf8b64
+digest: sha256:7a37054b0ae841314b1e309fec6f1edc0f22f77161ee915ebfb1ce011457884c
-generated: "2023-03-27T19:20:21.125036+02:00"
+generated: "2023-03-28T21:20:51.230043+02:00"

Chart.yaml

@@ -3,7 +3,7 @@ name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
-appVersion: 1.19.0
+appVersion: 1.19.1
 icon: https://docs.gitea.io/images/gitea.png
 
 keywords:
@@ -28,16 +28,18 @@ maintainers:
     email: lucas.hahn@novum-rgi.de
   - name: Steven Kriegler
     email: sk.bunsenbrenner@gmail.com
+  - name: Patrick Schratz
+    email: patrick.schratz@gmail.com
 
 # Bitnami charts are served from GitHub CDN - See https://github.com/bitnami/charts/issues/10539 for details
 dependencies:
-# OCI registry: https://blog.bitnami.com/2023/01/bitnami-helm-charts-available-as-oci.html (2023-01)
+  # OCI registry: https://blog.bitnami.com/2023/01/bitnami-helm-charts-available-as-oci.html (2023-01)
-# Chart release date: 2023-02
+  # Chart release date: 2023-03
-- name: memcached
+  - name: memcached
-  repository: oci://registry-1.docker.io/bitnamicharts
+    repository: oci://registry-1.docker.io/bitnamicharts
-  version: 6.3.7
+    version: 6.3.13
-  condition: memcached.enabled
+    condition: memcached.enabled
-- name: postgresql
+  - name: postgresql
-  repository: oci://registry-1.docker.io/bitnamicharts
+    repository: oci://registry-1.docker.io/bitnamicharts
-  version: 12.2.6
+    version: 12.2.6
-  condition: postgresql.enabled
+    condition: postgresql.enabled

README.md

@@ -672,6 +672,7 @@ gitea:
 | `tolerations`                               | Tolerations for the statefulset                        | `[]`  |
 | `affinity`                                  | Affinity for the statefulset                           | `{}`  |
 | `dnsConfig`                                 | dnsConfig for the statefulset                          | `{}`  |
+| `priorityClassName`                         | priorityClassName for the statefulset                  | `""`  |
 | `statefulset.env`                           | Additional environment variables to pass to containers | `[]`  |
 | `statefulset.terminationGracePeriodSeconds` | How long to wait until forcefully kill the pod         | `60`  |
 | `statefulset.labels`                        | Labels for the statefulset                             | `{}`  |
@@ -696,9 +697,12 @@ gitea:
 
 ### Init
 
-| Name            | Description                                                           | Value |
+| Name                                       | Description                                                                          | Value   |
-| --------------- | --------------------------------------------------------------------- | ----- |
+| ------------------------------------------ | ------------------------------------------------------------------------------------ | ------- |
-| `initPreScript` | Bash shell script copied verbatim to the start of the init-container. | `""`  |
+| `initPreScript`                            | Bash shell script copied verbatim to the start of the init-container.                | `""`    |
+| `initContainers.resources.limits`          | initContainers.limits Kubernetes resource limits for init containers                 | `{}`    |
+| `initContainers.resources.requests.cpu`    | initContainers.requests.cpu Kubernetes cpu resource limits for init containers       | `100m`  |
+| `initContainers.resources.requests.memory` | initContainers.requests.memory Kubernetes memory resource limits for init containers | `128Mi` |
 
 ### Signing
 
@@ -765,10 +769,10 @@ gitea:
 
 ### Memcached
 
-| Name                     | Description                                                                                                                                                                                           | Value   |
+| Name                                | Description                                                                                                                                                                                           | Value   |
-| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| ----------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
-| `memcached.enabled`      | Memcached is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/memcached) if enabled in the values. Complete Configuration can be taken from their website. | `true`  |
+| `memcached.enabled`                 | Memcached is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/memcached) if enabled in the values. Complete Configuration can be taken from their website. | `true`  |
-| `memcached.service.port` | Port for Memcached                                                                                                                                                                                    | `11211` |
+| `memcached.service.ports.memcached` | Port for Memcached                                                                                                                                                                                    | `11211` |
 
 ### PostgreSQL
 

templates/_helpers.tpl

@@ -96,7 +96,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
 {{- define "memcached.dns" -}}
-{{- printf "%s-memcached.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.memcached.service.port | trunc 63 | trimSuffix "-" -}}
+{{- printf "%s-memcached.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.memcached.service.ports.memcached | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
 {{- define "gitea.default_domain" -}}
@@ -287,22 +287,6 @@ https
     {{- $_ := set .Values.gitea.config.database "NAME"      .Values.postgresql.global.postgresql.auth.database -}}
     {{- $_ := set .Values.gitea.config.database "USER"      .Values.postgresql.global.postgresql.auth.username -}}
     {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.postgresql.global.postgresql.auth.password -}}
-  {{- else if .Values.mysql.enabled -}}
-    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "mysql" -}}
-    {{- if not (.Values.gitea.config.database.HOST) -}}
-      {{- $_ := set .Values.gitea.config.database "HOST"      (include "mysql.dns" .) -}}
-    {{- end -}}
-    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.mysql.db.name -}}
-    {{- $_ := set .Values.gitea.config.database "USER"      .Values.mysql.db.user -}}
-    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.mysql.db.password -}}
-  {{- else if .Values.mariadb.enabled -}}
-    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "mysql" -}}
-    {{- if not (.Values.gitea.config.database.HOST) -}}
-      {{- $_ := set .Values.gitea.config.database "HOST"      (include "mariadb.dns" .) -}}
-    {{- end -}}
-    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.mariadb.auth.database -}}
-    {{- $_ := set .Values.gitea.config.database "USER"      .Values.mariadb.auth.username -}}
-    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.mariadb.auth.password -}}
   {{- end -}}
 {{- end -}}
 

templates/gitea/statefulset.yaml

@@ -39,6 +39,9 @@ spec:
       {{- if .Values.schedulerName }}
       schedulerName: "{{ .Values.schedulerName }}"
       {{- end }}
+      {{- if .Values.priorityClassName }}
+      priorityClassName: "{{ .Values.priorityClassName }}"
+      {{- end }}
       {{- include "gitea.images.pullSecrets" . | nindent 6 }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
@@ -76,6 +79,8 @@ spec:
             {{- include "gitea.init-additional-mounts" . | nindent 12 }}
           securityContext:
             {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          resources:
+            {{- toYaml .Values.initContainers.resources | nindent 12 }}
         - name: init-app-ini
           image: "{{ include "gitea.image" . }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -114,6 +119,8 @@ spec:
             {{- include "gitea.init-additional-mounts" . | nindent 12 }}
           securityContext:
             {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          resources:
+            {{- toYaml .Values.initContainers.resources | nindent 12 }}
         {{- if .Values.signing.enabled }}
         - name: configure-gpg
           image: "{{ include "gitea.image" . }}"
@@ -143,6 +150,8 @@ spec:
             {{- if .Values.extraVolumeMounts }}
             {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
             {{- end }}
+          resources:
+            {{- toYaml .Values.initContainers.resources | nindent 12 }}
         {{- end }}
         - name: configure-gitea
           image: "{{ include "gitea.image" . }}"
@@ -232,6 +241,8 @@ spec:
               subPath: {{ .Values.persistence.subPath }}
               {{- end }}
             {{- include "gitea.init-additional-mounts" . | nindent 12 }}
+          resources:
+            {{- toYaml .Values.initContainers.resources | nindent 12 }}
       terminationGracePeriodSeconds: {{ .Values.statefulset.terminationGracePeriodSeconds }}
       containers:
         - name: {{ .Chart.Name }}

unittests/init/basic.yaml

@@ -10,6 +10,6 @@ tests:
       - hasDocuments:
           count: 1
       - containsDocument:
-          kind: Secret  
+          kind: Secret
           apiVersion: v1
           name: gitea-unittests-init

unittests/init/init_directory_structure.sh.yaml

@@ -8,6 +8,10 @@ tests:
   - it: runs gpg in batch mode
     set:
       signing.enabled: true
+      signing.privateKey: |-
+        -----BEGIN PGP PRIVATE KEY BLOCK-----
+        {placeholder}
+        -----END PGP PRIVATE KEY BLOCK-----
     asserts:
       - equal:
           path: stringData["configure_gpg_environment.sh"]
@@ -38,6 +42,10 @@ tests:
   - it: adds gpg script block for enabled signing
     set:
       signing.enabled: true
+      signing.privateKey: |-
+        -----BEGIN PGP PRIVATE KEY BLOCK-----
+        {placeholder}
+        -----END PGP PRIVATE KEY BLOCK-----
     asserts:
       - equal:
           path: stringData["init_directory_structure.sh"]

unittests/statefulset/basic.yaml

@@ -12,6 +12,6 @@ tests:
       - hasDocuments:
           count: 1
       - containsDocument:
-          kind: StatefulSet  
+          kind: StatefulSet
           apiVersion: apps/v1
           name: gitea-unittests

unittests/statefulset/signing-disabled.yaml

@@ -17,9 +17,9 @@ tests:
   - it: skips gpg env in `init-directories` init container
     template: templates/gitea/statefulset.yaml
     set:
-      signing.enabled: true
+      signing.enabled: false
     asserts:
-      - contains:
+      - notContains:
           path: spec.template.spec.initContainers[0].env
           content:
             name: GNUPGHOME

unittests/statefulset/signing-enabled.yaml

@@ -42,6 +42,7 @@ tests:
     template: templates/gitea/statefulset.yaml
     set:
       signing.enabled: true
+      signing.existingSecret: "custom-gpg-secret"
     asserts:
       - contains:
           path: spec.template.spec.initContainers[0].env
@@ -52,6 +53,7 @@ tests:
     template: templates/gitea/statefulset.yaml
     set:
       signing.enabled: true
+      signing.existingSecret: "custom-gpg-secret"
     asserts:
       - contains:
           path: spec.template.spec.containers[0].env
@@ -63,6 +65,7 @@ tests:
     set:
       signing:
         enabled: true
+        existingSecret: "gitea-unittests-gpg-key"
     asserts:
       - contains:
           path: spec.template.spec.volumes

values.yaml

@@ -138,7 +138,8 @@ ingress:
   enabled: false
   # className: nginx
   className:
-  annotations: {}
+  annotations:
+    {}
     # kubernetes.io/ingress.class: nginx
     # kubernetes.io/tls-acme: "true"
   hosts:
@@ -157,7 +158,8 @@ ingress:
 ## @section StatefulSet
 #
 ## @param resources Kubernetes resources
-resources: {}
+resources:
+  {}
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little
   # resources, such as Minikube. If you do want to specify resources, uncomment the following
@@ -187,12 +189,16 @@ affinity: {}
 ## @param dnsConfig dnsConfig for the statefulset
 dnsConfig: {}
 
+## @param priorityClassName priorityClassName for the statefulset
+priorityClassName: ""
+
 ## @param statefulset.env  Additional environment variables to pass to containers
 ## @param statefulset.terminationGracePeriodSeconds How long to wait until forcefully kill the pod
 ## @param statefulset.labels Labels for the statefulset
 ## @param statefulset.annotations Annotations for the Gitea StatefulSet to be created
 statefulset:
-  env: []
+  env:
+    []
     # - name: VARIABLE
     #   value: my-value
   terminationGracePeriodSeconds: 60
@@ -252,6 +258,16 @@ initPreScript: ""
 #   chown -R git:git /data/git/.postgresql/
 #   chmod 400 /data/git/.postgresql/postgresql.key
 
+## @param initContainers.resources.limits initContainers.limits Kubernetes resource limits for init containers
+## @param initContainers.resources.requests.cpu initContainers.requests.cpu Kubernetes cpu resource limits for init containers
+## @param initContainers.resources.requests.memory initContainers.requests.memory Kubernetes memory resource limits for init containers
+initContainers:
+  resources:
+    limits: {}
+    requests:
+      cpu: 100m
+      memory: 128Mi
+
 # Configure commit/action signing prerequisites
 ## @section Signing
 #
@@ -277,7 +293,7 @@ gitea:
   ## @param gitea.admin.password Password for the Gitea admin user
   ## @param gitea.admin.email Email for the Gitea admin user
   admin:
-    #existingSecret: gitea-admin-secret
+    # existingSecret: gitea-admin-secret
     existingSecret:
     username: gitea_admin
     password: r8sA8CPHD9!bt6d
@@ -293,7 +309,8 @@ gitea:
       #    prometheus-release: prom1
 
   ## @param gitea.ldap LDAP configuration
-  ldap: []
+  ldap:
+    []
     # - name: "LDAP 1"
     #  existingSecret:
     #  securityProtocol:
@@ -310,7 +327,8 @@ gitea:
 
   # Either specify inline `key` and `secret` or refer to them via `existingSecret`
   ## @param gitea.oauth OAuth configuration
-  oauth: []
+  oauth:
+    []
     # - name: 'OAuth 1'
     #   provider:
     #   key:
@@ -414,11 +432,20 @@ gitea:
 ## @section Memcached
 #
 ## @param memcached.enabled Memcached is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/memcached) if enabled in the values. Complete Configuration can be taken from their website.
-## @param memcached.service.port Port for Memcached
+## ref: https://hub.docker.com/r/bitnami/memcached/tags/
+## @param memcached.service.ports.memcached Port for Memcached
 memcached:
   enabled: true
+  # image:
+  #   registry: docker.io
+  #   repository: bitnami/memcached
+  #   tag: ""
+  #   digest: ""
+  #   pullPolicy: IfNotPresent
+  #   pullSecrets: []
   service:
-    port: 11211
+    ports:
+      memcached: 11211
 
 ## @section PostgreSQL
 #