Update default params of chart dependencies (#473)

### Description of the change

Update default params of chart dependencies. Tested with multiple upgrades and fresh installations.
Using no password auth for redis simplifies things for basic installations. Production installations should properly configure auth as they need it.

### Benefits

To avoid/solve upgrading issues as in #407 and #472

Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/473
Co-authored-by: pat-s <patrick.schratz@gmail.com>
Co-committed-by: pat-s <patrick.schratz@gmail.com>

.drone.yml

@@ -1,69 +0,0 @@
----
-kind: pipeline
-name: lint
-
-platform:
-  os: linux
-  arch: amd64
-
-steps:
-- name: lint
-  pull: always
-  image: pelotech/drone-helm3
-  settings:
-    helm_command: lint
-    chart: ./
-
-- name: discord
-  pull: always
-  image: appleboy/drone-discord:1.0.0
-  environment:
-    DISCORD_WEBHOOK_ID:
-      from_secret: discord_webhook_id
-    DISCORD_WEBHOOK_TOKEN:
-      from_secret: discord_webhook_token
-  when:
-    status:
-    - changed
-    - failure
-
----
-kind: pipeline
-name: release-version
-
-platform:
-  os: linux
-  arch: arm64
-
-trigger:
-  event:
-    - tag
-
-steps:
-  - name: generate-chart
-    pull: default
-    image: alpine:3.12
-    commands:
-      - wget -q https://get.helm.sh/helm-v3.3.1-linux-arm64.tar.gz -O - | tar -xzO linux-arm64/helm > /usr/local/bin/helm
-      - chmod +x /usr/local/bin/helm
-      - helm dependency update
-      - helm package ./
-      - mkdir gitea
-      - mv gitea*.tgz gitea/
-      - wget -O gitea/index.yaml https://dl.gitea.io/charts/index.yaml
-      - helm repo index gitea/ --url https://dl.gitea.io/charts --merge gitea/index.yaml
-
-  - name: upload-chart
-    pull: default
-    image: plugins/s3:latest
-    settings:
-      bucket: releases
-      endpoint: https://storage.gitea.io
-      path_style: true
-      access_key:
-        from_secret: aws_access_key_id
-      secret_key:
-        from_secret: aws_secret_access_key
-      source: gitea/*
-      target: /charts
-      strip_prefix: gitea/

.editorconfig

@@ -0,0 +1,12 @@
+# EditorConfig is awesome: https://EditorConfig.org
+
+# top-most EditorConfig file
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = false
+insert_final_newline = false

.gitea/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,42 @@
+<!--
+ Before you open the request please review the following guidelines and tips to help it be more easily integrated:
+
+ - Describe the scope of your change - i.e. what the change does.
+ - Describe any known limitations with your change.
+ - Please run any tests or examples that can exercise your modified code.
+
+ Thank you for contributing! We will try to review, test and integrate the change as soon as we can.
+ -->
+
+### Description of the change
+
+<!-- Describe the scope of your change - i.e. what the change does. -->
+
+### Benefits
+
+<!-- What benefits will be realized by the code change? -->
+
+### Possible drawbacks
+
+<!-- Describe any known limitations with your change -->
+
+### Applicable issues
+
+<!-- Enter any applicable Issues here (You can reference an issue using #). Please remove this section if there is no referenced issue. -->
+  - fixes #
+
+### Additional information
+
+<!-- If there's anything else that's important and relevant to your pull request, mention that information here. Please remove this section if it remains empty. -->
+
+### ⚠ BREAKING
+
+<!-- If there's a breaking change, please shortly describe in which way users are affected and how they can mitigate it. If there are no breakings, please remove this section. -->
+
+### Checklist
+
+<!-- [Place an '[X]' (no spaces) in all applicable fields. Please remove unrelated fields.] -->
+
+- [ ] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm)
+- [ ] Breaking changes are documented in the `README.md`
+- [ ] Templating unittests are added

.gitea/workflows/release-version.yml

@@ -0,0 +1,53 @@
+name: generate-chart
+
+on:
+  push:
+    tags:
+      - "*"
+
+jobs:
+  generate-chart-publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: install tools
+        run: |
+          apt update -y
+          apt install -y curl
+          curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null
+          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list
+          apt update -y
+          apt install -y python helm python3-pip apt-transport-https
+          pip install awscli
+
+      - name: Import GPG key
+        id: import_gpg
+        uses: https://github.com/crazy-max/ghaction-import-gpg@v5
+        with:
+          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
+          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
+          fingerprint: CC64B1DB67ABBEECAB24B6455FC346329753F4B0
+
+      # Using helm gpg plugin as 'helm package --sign' has issues with gpg2: https://github.com/helm/helm/issues/2843
+      - name: package chart
+        run: |
+          # FIXME: use upstream after https://github.com/technosophos/helm-gpg/issues/1 is solved
+          helm plugin install https://github.com/pat-s/helm-gpg
+          helm dependency update
+          helm package --version "${GITHUB_REF#refs/tags/v}" ./
+          helm gpg sign "gitea-${GITHUB_REF#refs/tags/v}.tgz"
+          mkdir gitea
+          mv gitea*.tgz gitea/
+          curl -L -o gitea/index.yaml https://dl.gitea.com/charts/index.yaml
+          helm repo index gitea/ --url https://dl.gitea.io/charts --merge gitea/index.yaml
+
+      - name: aws credential configure
+        uses: https://github.com/aws-actions/configure-aws-credentials@v2
+        with:
+          aws-access-key-id: ${{ secrets.AWS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Copy files to S3 and clear cache
+        run: |
+          aws s3 sync gitea/ s3://${{ secrets.AWS_S3_BUCKET}}/charts/

.gitea/workflows/test-pr.yml

@@ -0,0 +1,36 @@
+name: check-and-test
+
+on:
+  - pull_request
+
+jobs:
+  check-and-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: install tools
+        run: |
+          apt update -y
+          apt install -y curl make
+          curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null
+          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list
+          apt update -y
+          apt install -y helm python3-pip
+          pip install yamllint
+      - name: dependency update
+        run: helm dependency update
+      - name: lint
+        run: helm lint
+      - name: template
+        run: |
+          helm template --debug gitea-helm .
+      - name: unit tests
+        run: |
+          helm plugin install --version 0.3.3 https://github.com/helm-unittest/helm-unittest
+          make unittests
+      - name: verify readme
+        run: |
+          make readme
+          git diff --exit-code --name-only README.md
+      - name: yaml lint
+        uses: https://github.com/ibiqlik/action-yamllint@v3

.gitignore

@@ -1,2 +1,4 @@
-charts
+charts/
-Chart.lock
+node_modules/
+.DS_Store
+unittests/*/__snapshot__/

.helmignore

@@ -20,5 +20,14 @@
 .idea/
 *.tmproj
 .vscode/
-#charts/
+node_modules/
-#Chart.lock
+.npmrc
+package.json
+package-lock.json
+.gitea/
+Makefile
+.markdownlintignore
+.markdownlint.yaml
+.drone.yml
+CONTRIBUTING.md
+unittests/

.markdownlint.yaml

@@ -0,0 +1,149 @@
+# markdownlint YAML configuration
+# https://github.com/DavidAnson/markdownlint/blob/main/schema/.markdownlint.yaml
+
+# Default state for all rules
+default: true
+
+# Path to configuration file to extend
+extends: null
+
+# MD003/heading-style/header-style - Heading style
+MD003:
+  # Heading style
+  style: "atx"
+
+# MD004/ul-style - Unordered list style
+MD004:
+  style: "dash"
+
+# MD007/ul-indent - Unordered list indentation
+MD007:
+  # Spaces for indent
+  indent: 2
+  # Whether to indent the first level of the list
+  start_indented: false
+
+# MD009/no-trailing-spaces - Trailing spaces
+MD009:
+  # Spaces for line break
+  br_spaces: 2
+  # Allow spaces for empty lines in list items
+  list_item_empty_lines: false
+  # Include unnecessary breaks
+  strict: false
+
+# MD010/no-hard-tabs - Hard tabs
+MD010:
+  # Include code blocks
+  code_blocks: true
+
+# MD012/no-multiple-blanks - Multiple consecutive blank lines
+MD012:
+  # Consecutive blank lines
+  maximum: 1
+
+# MD013/line-length - Line length
+MD013:
+  # Number of characters
+  line_length: 200
+  # Number of characters for headings
+  heading_line_length: 100
+  # Number of characters for code blocks
+  code_block_line_length: 80
+  # Include code blocks
+  code_blocks: false
+  # Include tables
+  tables: false
+  # Include headings
+  headings: true
+  # Include headings
+  headers: true
+  # Strict length checking
+  strict: false
+  # Stern length checking
+  stern: false
+
+# MD022/blanks-around-headings/blanks-around-headers - Headings should be surrounded by blank lines
+MD022:
+  # Blank lines above heading
+  lines_above: 1
+  # Blank lines below heading
+  lines_below: 1
+
+# MD024/no-duplicate-heading/no-duplicate-header - Multiple headings with the same content
+MD024:
+  # Only check sibling headings
+  allow_different_nesting: true
+
+# MD025/single-title/single-h1 - Multiple top-level headings in the same document
+MD025:
+  # Heading level
+  level: 1
+  # RegExp for matching title in front matter
+  front_matter_title: "^\\s*title\\s*[:=]"
+
+# MD026/no-trailing-punctuation - Trailing punctuation in heading
+MD026:
+  # Punctuation characters
+  punctuation: ".,;:!。，；：！"
+
+# MD029/ol-prefix - Ordered list item prefix
+MD029:
+  # List style
+  style: "one_or_ordered"
+
+# MD030/list-marker-space - Spaces after list markers
+MD030:
+  # Spaces for single-line unordered list items
+  ul_single: 1
+  # Spaces for single-line ordered list items
+  ol_single: 1
+  # Spaces for multi-line unordered list items
+  ul_multi: 1
+  # Spaces for multi-line ordered list items
+  ol_multi: 1
+
+# MD033/no-inline-html - Inline HTML
+MD033:
+  # Allowed elements
+  allowed_elements: [details, summary]
+
+# MD035/hr-style - Horizontal rule style
+MD035:
+  # Horizontal rule style
+  style: "---"
+
+# MD036/no-emphasis-as-heading/no-emphasis-as-header - Emphasis used instead of a heading
+MD036:
+  # Punctuation characters
+  punctuation: ".,;:!?。，；：！？"
+
+# MD041/first-line-heading/first-line-h1 - First line in a file should be a top-level heading
+MD041:
+  # Heading level
+  level: 1
+  # RegExp for matching title in front matter
+  front_matter_title: "^\\s*title\\s*[:=]"
+
+# MD044/proper-names - Proper names should have the correct capitalization
+MD044:
+  # List of proper names
+  names:
+    - Gitea
+    - PostgreSQL
+    - Memcached
+    - Prometheus
+    - Git
+    - GitOps
+  # Include code blocks
+  code_blocks: false
+
+# MD046/code-block-style - Code block style
+MD046:
+  # Block style
+  style: "fenced"
+
+# MD048/code-fence-style - Code fence style
+MD048:
+  # Code fence syle
+  style: "backtick"

.markdownlintignore

@@ -0,0 +1,4 @@
+.gitea/
+node_modules/
+charts/
+Chart.lock

.npmrc

@@ -0,0 +1 @@
+engine-strict=true

.prettierignore

@@ -0,0 +1 @@
+Chart.lock

.yamllint

@@ -0,0 +1,20 @@
+---
+extends: default
+
+ignore: |
+  .yamllint
+  node_modules
+  templates
+
+
+rules:
+  truthy:
+    allowed-values: ['true', 'false']
+    check-keys: False
+    level: error
+  line-length: disable
+  document-start: disable
+  comments:
+    min-spaces-from-content: 1
+  braces:
+    max-spaces-inside: 2

CONTRIBUTING.md

@@ -0,0 +1,70 @@
+# Contribution Guidelines
+
+Any type of contribution is welcome; from new features, bug fixes, tests,
+refactorings for easier maintainability or documentation improvements.
+
+## Development environment
+
+- [`node`](https://nodejs.org/en/) at least current LTS
+- [`helm`](https://helm.sh/docs/intro/install/)
+- `make` is optional; you may call the commands directly
+
+When using Visual Studio Code as IDE, following plugins might be useful:
+
+- [Markdown All in One](https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one)
+- [markdownlint](https://marketplace.visualstudio.com/items?itemName=DavidAnson.vscode-markdownlint)
+- [Helm Intellisense](https://marketplace.visualstudio.com/items?itemName=Tim-Koehler.helm-intellisense)
+- [Prettier - Code formatter](https://marketplace.visualstudio.com/items?itemName=esbenp.prettier-vscode)
+
+## Documentation Requirements
+
+The `README.md` must include all configuration options.
+The parameters section is generated by extracting the parameter annotations from the `values.yaml` file, by using [this tool](https://github.com/bitnami-labs/readme-generator-for-helm).
+
+If changes were made on configuration options, run `make readme` to update the README file.
+
+The ToC is created via the VSCode [Markdown All in One](https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one) extension which can/must also be used used to update it.
+
+## Pull Request Requirements
+
+When submitting or updating a PR:
+
+- make sure it passes CI builds.
+- do not make independent changes in one PR.
+- try to avoid rebases. They make code reviews for large PRs and comments much harder.
+- if applicable, use the PR template for a well-defined PR description.
+- clearly mark breaking changes.
+
+## Local development & testing
+
+For local development and testing of pull requests, the following workflow can
+be used:
+
+1. Install `minikube` and `helm`.
+1. Start a `minikube` cluster via `minikube start`.
+1. From the `gitea/helm-chart` directory execute the following command.
+   This will install the dependencies listed in `Chart.yml` and deploy the current state of the helm chart found locally.
+   If you want to test a branch, make sure to switch to the respective branch first.
+   `helm install --dependency-update gitea . -f values.yaml`.
+1. Gitea is now deployed in `minikube`.
+   To access it, it's port needs to be forwarded first from `minikube` to localhost first via `kubectl --namespace
+default port-forward svc/gitea-http 3000:3000`.
+   Now Gitea is accessible at [http://localhost:3000](http://localhost:3000).
+
+### Unit tests
+
+```bash
+# install the unittest plugin
+$ helm plugin install https://github.com/helm-unittest/helm-unittest
+
+# run the unittests
+make unittests
+```
+
+See [plugin documentation](https://github.com/helm-unittest/helm-unittest/blob/v0.3.3/DOCUMENT.md) for usage instructions.
+
+## Release process
+
+1. Create a tag following the tagging schema
+1. Push the tag
+1. Let CI do it's work

Chart.lock

@@ -0,0 +1,12 @@
+dependencies:
+- name: postgresql
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 12.6.6
+- name: postgresql-ha
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 11.7.9
+- name: redis-cluster
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 8.6.9
+digest: sha256:52296a48610712a8eb69a32b1b5818b014bfb8dac79d883e11ebdaf97d41e85d
+generated: "2023-07-17T21:24:06.888357+02:00"

Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
-version: 1.5.2
+version: 0.0.0
-appVersion: 1.12.4
+appVersion: 1.20.0
 icon: https://docs.gitea.io/images/gitea.png
 
 keywords:
@@ -14,6 +14,7 @@ keywords:
   - gitea
   - gogs
 sources:
+  - https://gitea.com/gitea/helm-chart
   - https://github.com/go-gitea/gitea
   - https://hub.docker.com/r/gitea/gitea/
 maintainers:
@@ -25,21 +26,25 @@ maintainers:
     email: konrad.lother@novum-rgi.de
   - name: Lucas Hahn
     email: lucas.hahn@novum-rgi.de
+  - name: Steven Kriegler
+    email: sk.bunsenbrenner@gmail.com
+  - name: Patrick Schratz
+    email: patrick.schratz@gmail.com
 
+# Bitnami charts are served from GitHub CDN - See https://github.com/bitnami/charts/issues/10539 for details
 dependencies:
-- name: memcached
+  # Chart release date: 2023-07 (https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml)
-  repository: https://charts.bitnami.com/bitnami
+  - name: postgresql
-  version: 4.2.20
+    repository: oci://registry-1.docker.io/bitnamicharts
-  condition: gitea.cache.builtIn.enabled
+    version: 12.6.6
-- name: mysql
+    condition: postgresql.enabled
-  repository: https://charts.bitnami.com/bitnami
+  # Chart release date: 2023-07 (https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml)
-  version: 6.14.10
+  - name: postgresql-ha
-  condition: gitea.database.builtIn.mysql.enabled
+    repository: oci://registry-1.docker.io/bitnamicharts
-- name: postgresql
+    version: 11.7.9
-  repository: https://charts.bitnami.com/bitnami
+    condition: postgresql-ha.enabled
-  version: 9.7.3
+  # Chart release date: 2023-07 (https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml)
-  condition: gitea.database.builtIn.postgresql.enabled
+  - name: redis-cluster
-- name: mariadb
+    repository: oci://registry-1.docker.io/bitnamicharts
-  repository: https://charts.bitnami.com/bitnami
+    version: 8.6.9
-  version: 7.10.2
+    condition: redis-cluster.enabled
-  condition: gitea.database.builtIn.mariadb.enabled

Makefile

@@ -0,0 +1,17 @@
+.PHONY: prepare-environment
+prepare-environment:
+	npm install
+
+.PHONY: readme
+readme: prepare-environment
+	npm run readme:parameters
+	npm run readme:lint
+
+.PHONY: unittests
+unittests:
+	helm unittest --strict -f 'unittests/**/*.yaml' ./
+
+.PHONY: helm
+update-helm-dependencies:
+	helm dependency update
+  

docs/ha-setup.md

@@ -0,0 +1,175 @@
+# High Availability
+
+⚠️ **EXPERIMENTAL** ⚠️
+
+All components (in-memory DB, volume/asset storage, code indexer) used by Gitea must be deployed in a HA-ready fashion to achieve a full HA-ready Gitea deployment.
+The following document explains how to achieve this for all individual components.
+
+The resulting Gitea deployment will consist of ~ 10 pods (depending on the chosen components and their replicas).
+One should evaluate upfront whether a HA-deployment is required as switching between HA/non-HA comes with some effort.
+For production instances, HA is always recommended to increase uptime and have a frictionless update process.
+
+A general comment about chart dependencies and external services:
+Instead of relying on chart dependencies, it is often better to rely on an external, (managed) instances (in-memory database, asset storage provider, database, etc.).
+Many cloud providers offer such services, at least for databases or in-memory databases.
+They might cost a bit more than using a self-hosted k8s variant but are usually easier to maintain and scale, if needed.
+Also they can be centrally managed and are not linked to the Gitea helm chart or namespace.
+Please consider using external services before you start with your Gitea HA setup, it will make your life (and the life of the Gitea maintainers) easier.
+
+This helm chart tries to help as much as possible to simplify and assert the provisioning of a HA-ready Gitea instance by implementing smart conditionals if `replicaCount` is set to a value > 1.
+Nevertheless, we cannot guarantee for every possible combination of Gitea settings to work together perfectly in a HA setup.
+As a general advice, we recommend to have a test environment aside on which to test possible changes/upgrades before applying these to a production installation.
+
+## Requirements for HA
+
+Storage-wise, the HA-Gitea setup requires a RWX file-system which can be shared among the deployment-based replica pods.
+In addition, the following components are required for full HA-readiness:
+
+- A HA-ready issue (and optionally code) indexer: `elasticsearch` or `meilisearch`
+- A HA-ready external object/asset storage (`minio`) (optional, assets can also be stored on the RWX file-system)
+- A HA-ready cache (`redis-cluster`)
+- A HA-ready DB
+
+`postgres.enabled`, which default to `true`, must be set to `false` for a HA setup.
+The default `postgres` chart dependency is not HA-ready (there's a dedicated `postgres-ha` chart).
+
+The following sections discuss each of the components in more detail.
+Note that for each component discussed, the shown configurations only provides a (working) starting point, not necessarily the most optimal setup.
+We try to optimize this document over time as we have gained more experience with HA setups from users.
+
+## Indexers (Issues and code/repo)
+
+The default code indexer `bleve` is not able to allow multiple connections and hence cannot be used in a HA setup.
+Alternatives are `elasticsearch` and `meilisearch` (as of >= 1.19.2).
+Unless you have an existing `elasticsearch` cluster, we recommend using `meilisearch` as it is faster and requires way less resources.
+
+Unfortunately, `meilisearch` does only support the `ISSUE_INDEXER` and not the `REPO_INDEXER` yet ([tracking issue](https://github.com/go-gitea/gitea/pull/24149)).
+This means that the `REPO_INDEXER` must still be disabled for a HA setup right now.
+An alternative to the two options above for the `ISSUE_INDEXER` is `"db"`, however we recommend to just go with `meilisearch` in this case and to not bother the DB with indexing.
+
+To configure `meilisearch` within Gitea, do the following:
+
+```yml
+gitea:
+  config:
+    indexer:
+      ISSUE_INDEXER_CONN_STR: <http://meilisearch.<namespace>.svc.cluster.local:7700>
+      ISSUE_INDEXER_ENABLED: true
+      ISSUE_INDEXER_TYPE: meilisearch
+      REPO_INDEXER_ENABLED: false
+      # REPO_INDEXER_TYPE: meilisearch # not yet working
+```
+
+Unfortunately `meilisearch` cannot be deployed in HA as of now.
+Nevertheless it allows for multiple Gitea requests at the same time and is therefore required in a HA setup.
+
+Exemplary configuration for the [meilisearch-kubernetes](https://github.com/meilisearch/meilisearch-kubernetes/tree/main/charts/meilisearch) chart:
+
+```yaml
+persistence:
+  enabled: true
+  accessMode: ReadWriteOnce
+  size: 5Gi
+```
+
+## Cache, session and queue
+
+A `redis` instance is required for the in-memory cache.
+Two options exist:
+
+- `redis`
+- `redis-cluster`
+
+The chart provides `redis-cluster` as a dependency as this one can be used for both HA and non-HA setups.
+You're also welcome to go with `redis` if you prefer or already have a running instance.
+
+It should be noted that `redis-cluster` support is only available starting with Gitea 1.19.2.
+You can also configure an external (managed) `redis` instance to be used.
+To do so, you need to set the following configuration values yourself:
+
+- `gitea.config.queue.TYPE`: redis`
+- `gitea.config.queue.CONN_STR`: `<your redis connection string>`
+
+- `gitea.config.session.PROVIDER`: `redis`
+- `gitea.config.session.PROVIDER_CONFIG`: `<your redis connection string>`
+
+- `gitea.config.cache.ENABLED`: `true`
+- `gitea.config.cache.ADAPTER`: `redis`
+- `gitea.config.cache.HOST`: `<your redis connection string>`
+
+## Object and asset storage
+
+Object/asset storage refers to the storage of attachments, avatars, LFS files, etc.
+While most of these can be stored on the RWX file-system, it is recommended to use an external S3-compatible object storage for such, mainly for performance reasons.
+
+By default the chart provisions a single RWO volume to store everything (repos, avatars, packages, etc.).
+This volume cannot be mounted by multiple pods.
+Hence, a RWX volume is required and (optionally) an external HA-ready object storage.
+
+> **Note:** Double-check that the file permissions are set correctly on the RWX volume! That is everything should be owned by the `git` user which usually has `uid=1000` and `gid=1000`.
+
+To use `minio` you need to deploy and configure an external `minio` instance yourself and explicitly define the `STORAGE_TYPE` values as shown below.
+
+Note that `MINIO_BUCKET` here is just a name and does not refer to a S3 bucket.
+It's the root access point for all objects belonging to the respective application, i.e., to Gitea in this case.
+
+```yaml
+gitea:
+  config:
+    attachment:
+      STORAGE_TYPE: minio
+    lfs:
+      STORAGE_TYPE: minio
+    picture:
+      AVATAR_STORAGE_TYPE: minio
+    "storage.packages":
+      STORAGE_TYPE: minio
+
+    storage:
+      MINIO_ENDPOINT: <minio-headless.<namespace>.svc.cluster.local:9000>
+      MINIO_LOCATION: <location>
+      MINIO_ACCESS_KEY_ID: <access key>
+      MINIO_SECRET_ACCESS_KEY: <secret key>
+      MINIO_BUCKET: <bucket name>
+      MINIO_USE_SSL: false
+```
+
+Exemplary configuration for the [bitnami minio](https://github.com/bitnami/charts/blob/main/bitnami/minio) chart:
+
+```yaml
+auth:
+  rootUser: minio
+mode: distributed
+replicaCount: 4
+persistence:
+  enabled: true
+  size: 20Gi
+  accessModes:
+    - ReadWriteOnce
+```
+
+## Database
+
+If you do not have an HA-ready DB, using a managed database service in the cloud might be the easiest and most robust solution.
+Remember: disable the built-in `postgres` dependency and configure the database connection manually via `gitea.config.database`:
+
+```yml
+gitea:
+  database:
+    builtIn:
+      postgresql:
+        enabled: false
+  config:
+    database:
+      DB_TYPE: postgres
+      HOST: <host>
+      NAME: <name>
+      USER: <user>
+```
+
+## Known issues
+
+- Currently Cron jobs are run on all replicas as no leader election is implemented.
+  See [https://github.com/go-gitea/gitea/issues/13791](https://github.com/go-gitea/gitea/issues/13791) for a discussion and possible solution.
+
+- Running with multiple replicas slows down Gitea a bit, i.e. page loading time increases. 

package.json

@@ -0,0 +1,19 @@
+{
+  "name": "gitea-helm-chart",
+  "homepage": "https://gitea.com/gitea/helm-chart.git",
+  "license": "MIT",
+  "private": true,
+  "engineStrict": true,
+  "engines": {
+    "node": ">=16.0.0",
+    "npm": ">=8.0.0"
+  },
+  "scripts": {
+    "readme:lint": "markdownlint *.md -f",
+    "readme:parameters": "readme-generator -v values.yaml -r README.md"
+  },
+  "devDependencies": {
+    "@bitnami/readme-generator-for-helm": "^2.5.0",
+    "markdownlint-cli": "^0.34.0"
+  }
+}

templates/NOTES.txt

@@ -1,7 +1,9 @@
 1. Get the application URL by running these commands:
 {{- if .Values.ingress.enabled }}
 {{- range $host := .Values.ingress.hosts }}
-  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host }}/
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
 {{- end }}
 {{- else if contains "NodePort" .Values.service.http.type }}
   export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "gitea.fullname" . }})

templates/gitea/config.yaml

@@ -1,115 +1,199 @@
 apiVersion: v1
 kind: Secret
+metadata:
+  name: {{ include "gitea.fullname" . }}-inline-config
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  {{- include "gitea.inline_configuration" . | nindent 2 }}
+---
+apiVersion: v1
+kind: Secret
 metadata:
   name: {{ include "gitea.fullname" . }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 stringData:
-  app.ini: |-
+  assertions: |
-    {{- if not (hasKey .Values.gitea.config "cache") -}}
+{{- /* multiple replicas assertions */ -}}
-    {{- $_ := set .Values.gitea.config "cache" dict -}}
+{{- if gt .Values.replicaCount 1.0 -}}
-    {{- end -}}
+  {{- if .Values.gitea.config.cron.GIT_GC_REPOS -}}
+    {{- if .Values.gitea.config.cron.GIT_GC_REPOS.enabled -}}
+      {{- fail "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'GIT_GC_REPOS.enabled = false'." -}}
+    {{- end }}
+  {{- end }}
+  {{- if eq (first .Values.persistence.accessModes) "ReadWriteOnce" -}}
+    {{- fail "When using multiple replicas, a RWX file system is required and gitea.persistence.accessModes[0] must be set to ReadWriteMany." -}}
+  {{- end }}
+  
+  {{- if eq (get .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE") "bleve" -}}
+    {{- fail "When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)." -}}
+  {{- end }}
+  {{- if .Values.gitea.config.indexer.REPO_INDEXER_TYPE -}}
+    {{- if eq (get .Values.gitea.config.indexer "REPO_INDEXER_TYPE") "bleve" -}}
+      {{- if .Values.gitea.config.indexer.REPO_INDEXER_ENABLED -}}
+        {{- if eq (get .Values.gitea.config.indexer "REPO_INDEXER_ENABLED") "true" -}}
+          {{- fail "When using multiple replicas, the repo indexer (gitea.config.indexer.REPO_INDEXER_TYPE) must be set to 'meilisearch' or 'elasticsearch' or disabled." -}}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+  
+{{- end }}
+  config_environment.sh: |-
+    #!/usr/bin/env bash
+    set -euo pipefail
 
-    {{- if not (hasKey .Values.gitea.config "server") -}}
+    function env2ini::log() {
-    {{- $_ := set .Values.gitea.config "server" dict -}}
+      printf "${1}\n"
-    {{- end -}}
+    }
 
-    {{- if not (hasKey .Values.gitea.config "database") -}}
+    function env2ini::read_config_to_env() {
-    {{- $_ := set .Values.gitea.config "database" dict -}}
+      local section="${1}"
-    {{- end -}}
+      local line="${2}"
 
-    {{- if not (hasKey .Values.gitea.config "security") -}}
+      if [[ -z "${line}" ]]; then
-    {{- $_ := set .Values.gitea.config "security" dict -}}
+        # skip empty line
-    {{- end -}}
+        return
+      fi
+      
+      # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
+      local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
 
-    {{- /* security default settings */ -}}   
+      if [[ -z "${setting}" ]]; then
-    {{- if not .Values.gitea.config.security.INSTALL_LOCK -}}
+        env2ini::log '  ! invalid setting'
-    {{- $_ := set .Values.gitea.config.security "INSTALL_LOCK" "true" -}}
+        exit 1
-    {{- end -}}
+      fi
 
-    {{- /* server default settings */ -}}   
+      local value=''
-    {{- if not (hasKey .Values.gitea.config.server "HTTP_PORT") -}}
+      local regex="^${setting}(\s*)=(\s*)(.*)"
-    {{- $_ := set .Values.gitea.config.server "HTTP_PORT" .Values.service.http.port -}}
+      if [[ $line =~ $regex ]]; then
-    {{- end -}}
+        value="${BASH_REMATCH[3]}"
-    {{- if not .Values.gitea.config.server.PROTOCOL -}}
+      else
-    {{- $_ := set .Values.gitea.config.server "PROTOCOL" "http" -}}
+        env2ini::log '  ! invalid setting'
-    {{- end -}}
+        exit 1
-    {{- if not (.Values.gitea.config.server.DOMAIN) -}}
+      fi
-    {{- if gt (len .Values.ingress.hosts) 0 -}}
-    {{- $_ := set .Values.gitea.config.server "DOMAIN" (index .Values.ingress.hosts 0) -}}
-    {{- else -}}
-    {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}}
-    {{- end -}}
-    {{- end -}}
-    {{- if not .Values.gitea.config.server.ROOT_URL -}}
-    {{- if .Values.ingress.enabled -}}
-    {{- if gt (len .Values.ingress.tls) 0 -}}
-    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index (index .Values.ingress.tls 0).hosts 0)) -}}
-    {{- else -}}
-    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index .Values.ingress.hosts 0)) -}}
-    {{- end -}}
-    {{- else -}}
-    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL .Values.gitea.config.server.DOMAIN) -}}
-    {{- end -}}
-    {{- end -}}
-    {{- if not .Values.gitea.config.server.SSH_DOMAIN -}}
-    {{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}}
-    {{- end -}}
-    {{- if not .Values.gitea.config.server.SSH_PORT -}}
-    {{- $_ := set .Values.gitea.config.server "SSH_PORT" .Values.service.ssh.port -}}
-    {{- end -}}
-    {{- if not (hasKey .Values.gitea.config.server "SSH_LISTEN_PORT") -}}
-    {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" .Values.gitea.config.server.SSH_PORT -}}
-    {{- end -}}
 
-    {{- /* database default settings */ -}}
+      env2ini::log "    + '${setting}'"
-    {{- if .Values.gitea.database.builtIn.postgresql.enabled -}}
-    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "postgres" -}} 
-    {{- if not (.Values.gitea.config.database.HOST) -}}
-    {{- $_ := set .Values.gitea.config.database "HOST"      (include "postgresql.dns" .) -}}
-    {{- end -}}
-    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.postgresql.global.postgresql.postgresqlDatabase -}}
-    {{- $_ := set .Values.gitea.config.database "USER"      .Values.postgresql.global.postgresql.postgresqlUsername -}}
-    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.postgresql.global.postgresql.postgresqlPassword -}}
-    {{ else if .Values.gitea.database.builtIn.mysql.enabled -}}
-    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "mysql" -}} 
-    {{- if not (.Values.gitea.config.database.HOST) -}}
-    {{- $_ := set .Values.gitea.config.database "HOST"      (include "mysql.dns" .) -}}
-    {{- end -}}
-    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.mysql.db.name -}}
-    {{- $_ := set .Values.gitea.config.database "USER"      .Values.mysql.db.user -}}
-    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.mysql.db.password -}}
-    {{ else if .Values.gitea.database.builtIn.mariadb.enabled -}}
-    {{- $_ := set .Values.gitea.config.database "DB_TYPE"   "mysql" -}}
-    {{- if not (.Values.gitea.config.database.HOST) -}}
-    {{- $_ := set .Values.gitea.config.database "HOST"      (include "mariadb.dns" .) -}}
-    {{- end -}}
-    {{- $_ := set .Values.gitea.config.database "NAME"      .Values.mariadb.db.name -}}
-    {{- $_ := set .Values.gitea.config.database "USER"      .Values.mariadb.db.user -}}
-    {{- $_ := set .Values.gitea.config.database "PASSWD"    .Values.mariadb.db.password -}}
-    {{- end -}}
 
-    {{- /* cache default settings */ -}}
+      if [[ -z "${section}" ]]; then
-    {{- if .Values.gitea.cache.builtIn.enabled -}}
+        export "GITEA____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
-    {{- $_ := set .Values.gitea.config.cache "ENABLED" "true" -}}
+        return
-    {{- $_ := set .Values.gitea.config.cache "ADAPTER" "memcache" -}}
+      fi
-    {{- if not (.Values.gitea.config.cache.HOST) -}}
+
-    {{- $_ := set .Values.gitea.config.cache "HOST" (include "memcached.dns" .) -}}
+      local masked_section="${section//./_0X2E_}"                            # '//' instructs to replace all matches
-    {{- end -}}
+      masked_section="${masked_section//-/_0X2D_}"
-    {{- end -}}
+
+      export "GITEA__${masked_section^^}__${setting^^}=${value}"        # '^^' makes the variable content uppercase
+    }
+
+    function env2ini::reload_preset_envs() {
+      env2ini::log "Reloading preset envs..."
+
+      while read -r line; do
+        if [[ -z "${line}" ]]; then
+          # skip empty line
+          return
+        fi
+
+        # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
+        local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
+
+        if [[ -z "${setting}" ]]; then
+          env2ini::log '  ! invalid setting'
+          exit 1
+        fi
+
+        local value=''
+        local regex="^${setting}(\s*)=(\s*)(.*)"
+        if [[ $line =~ $regex ]]; then
+          value="${BASH_REMATCH[3]}"
+        else
+          env2ini::log '  ! invalid setting'
+          exit 1
+        fi
+
+        env2ini::log "  + '${setting}'"
+
+        export "${setting^^}=${value}"                           # '^^' makes the variable content uppercase
+      done < "/tmp/existing-envs"
+
+      rm /tmp/existing-envs
+    }
+
+
+    function env2ini::process_config_file() {
+      local config_file="${1}"
+      local section="$(basename "${config_file}")"
+
+      if [[ $section == '_generals_' ]]; then
+        env2ini::log "  [ini root]"
+        section=''
+      else
+        env2ini::log "  ${section}"
+      fi
+
+      while read -r line; do
+        env2ini::read_config_to_env "${section}" "${line}"
+      done < <(awk 1 "${config_file}")                             # Helm .toYaml trims the trailing new line which breaks line processing; awk 1 ... adds it back while reading
+    }
+
+    function env2ini::load_config_sources() {
+      local path="${1}"
+
+      if [[ -d "${path}" ]]; then
+        env2ini::log "Processing $(basename "${path}")..."
+
+        while read -d '' configFile; do
+          env2ini::process_config_file "${configFile}"
+        done < <(find "${path}" -type l -not -name '..data' -print0)
+
+        env2ini::log "\n"
+      fi
+    }
+
+    function env2ini::generate_initial_secrets() {
+      # These environment variables will either be
+      #   - overwritten with user defined values,
+      #   - initially used to set up Gitea
+      # Anyway, they won't harm existing app.ini files
+
+      export GITEA__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
+      export GITEA__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
+      export GITEA__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
+      export GITEA__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
+
+      env2ini::log "...Initial secrets generated\n"
+    }
     
-    {{- /* autogenerate app.ini */ -}}
+    # save existing envs prior to script execution. Necessary to keep order of preexisting and custom envs
-    {{- range $key, $value := .Values.gitea.config  }}
+    env | (grep GITEA || [[ $? == 1 ]]) > /tmp/existing-envs
-    {{- if kindIs "map" $value }}
+    
-    {{- if gt (len $value) 0 }}
+    # MUST BE CALLED BEFORE OTHER CONFIGURATION
+    env2ini::generate_initial_secrets
 
-    [{{ $key }}]
+    env2ini::load_config_sources '/env-to-ini-mounts/inlines/'
-    {{- range $n_key, $n_value := $value }}
+    env2ini::load_config_sources '/env-to-ini-mounts/additionals/'
-    {{ $n_key | upper }} = {{ $n_value }}
+
-    {{- end }}
+    # load existing envs to override auto generated envs
-    {{- end }}
+    env2ini::reload_preset_envs
-    {{- else }}
+
-    {{ $key | upper }} = {{ $value }}
+    env2ini::log "=== All configuration sources loaded ===\n"
-    {{- end }}
+
-    {{- end }}
+    # safety to prevent rewrite of secret keys if an app.ini already exists
+    if [ -f ${GITEA_APP_INI} ]; then
+      env2ini::log 'An app.ini file already exists. To prevent overwriting secret keys, these settings are dropped and remain unchanged:'
+      env2ini::log '  - security.INTERNAL_TOKEN'
+      env2ini::log '  - security.SECRET_KEY'
+      env2ini::log '  - oauth2.JWT_SECRET'
+      env2ini::log '  - server.LFS_JWT_SECRET'
+
+      unset GITEA__SECURITY__INTERNAL_TOKEN
+      unset GITEA__SECURITY__SECRET_KEY
+      unset GITEA__OAUTH2__JWT_SECRET
+      unset GITEA__SERVER__LFS_JWT_SECRET
+    fi
+
+    environment-to-ini -o $GITEA_APP_INI

templates/gitea/deprecation.yaml

@@ -0,0 +1,34 @@
+{{- if .Values.checkDeprecation -}}
+  {{/* CUSTOM PROBES */}}
+  {{- if .Values.gitea.customLivenessProbe -}}
+    {{- fail "`gitea.customLivenessProbe` does no longer exist. Please refer to the changelog and configure `gitea.livenessProbe` instead." -}}
+  {{- end -}}
+  {{- if .Values.gitea.customReadinessProbe -}}
+    {{- fail "`gitea.customReadinessProbe` does no longer exist. Please refer to the changelog and configure `gitea.readinessProbe` instead." -}}
+  {{- end -}}
+  {{- if .Values.gitea.customStartupProbe -}}
+    {{- fail "`gitea.customStartupProbe` does no longer exist. Please refer to the changelog and configure `gitea.startupProbe` instead." -}}
+  {{- end -}}
+
+  {{/* LDAP SOURCES */}}
+  {{- if kindIs "map" .Values.gitea.ldap -}}
+    {{- fail "You can configure multiple LDAP sources. Please refer to the changelog and switch `gitea.ldap` from object to array notation." -}}
+  {{- end -}}
+  
+  {{/* OAUTH SOURCES */}}
+  {{- if kindIs "map" .Values.gitea.oauth -}}
+    {{- fail "You can configure multiple OAuth sources. Please refer to the changelog and switch `gitea.oauth` from object to array notation." -}}
+  {{- end -}}
+  
+  {{/* BUILTIN */}}
+  {{- if .Values.gitea.cache -}}
+    {{- if .Values.gitea.cache.builtIn -}}
+      {{- fail "`gitea.cache.builtIn` does no longer exist. Please use `memcached` at root level instead." -}}
+    {{- end -}}
+  {{- end -}}
+  {{- if .Values.gitea.database -}}
+    {{- if .Values.gitea.database.builtIn -}}
+      {{- fail "`gitea.database.builtIn` does no longer exist. Builtin databases can be configured inside the dependencies itself. Please refer to the changelog." -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}

templates/gitea/extra-list.yaml

@@ -0,0 +1,8 @@
+{{- range .Values.extraDeploy }}
+---
+{{- if typeIs "string" . }}
+    {{- tpl . $ }}
+{{- else }}
+    {{- tpl (. | toYaml) $ }}
+{{- end }}
+{{- end }}

templates/gitea/gpg-secret.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.signing.enabled -}}
+{{- if and (empty .Values.signing.privateKey) (empty .Values.signing.existingSecret) -}}
+  {{- fail "Either specify `signing.privateKey` or `signing.existingSecret`" -}}
+{{- end }}
+{{- if and (not (empty .Values.signing.privateKey)) (empty .Values.signing.existingSecret) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "gitea.gpg-key-secret-name" . }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+type: Opaque
+data:
+  privateKey: {{ .Values.signing.privateKey | b64enc }}
+{{- end }}
+{{- end }}

templates/gitea/http-svc.yaml

@@ -4,9 +4,36 @@ metadata:
   name: {{ include "gitea.fullname" . }}-http
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
+  annotations:
+    {{- toYaml .Values.service.http.annotations | nindent 4 }}
 spec:
   type: {{ .Values.service.http.type }}
-  clusterIP: None
+  {{- if and .Values.service.http.loadBalancerIP (eq .Values.service.http.type "LoadBalancer") }}
+  loadBalancerIP: {{ .Values.service.http.loadBalancerIP  }}
+  {{- end }}
+  {{- if .Values.service.http.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+  {{- range .Values.service.http.loadBalancerSourceRanges }}
+    - {{ . }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.service.http.externalIPs }}
+  externalIPs:
+    {{- toYaml .Values.service.http.externalIPs | nindent 4 }}
+  {{- end }}
+  {{- if .Values.service.http.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.service.http.ipFamilyPolicy }}
+  {{- end }}
+  {{- with .Values.service.http.ipFamilies }}
+  ipFamilies:
+  {{- toYaml . | nindent 4 }}
+  {{- end -}}
+  {{- if .Values.service.http.externalTrafficPolicy }}
+  externalTrafficPolicy: {{ .Values.service.http.externalTrafficPolicy }}
+  {{- end }}
+  {{- if and .Values.service.http.clusterIP (eq .Values.service.http.type "ClusterIP") }}
+  clusterIP: {{ .Values.service.http.clusterIP }}
+  {{- end }}
   ports:
   - name: http
     port: {{ .Values.service.http.port }}

templates/gitea/ingress.yaml

@@ -1,11 +1,15 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "gitea.fullname" . -}}
 {{- $httpPort := .Values.service.http.port -}}
-{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+{{- $apiVersion := "extensions/v1beta1" -}}
-apiVersion: networking.k8s.io/v1beta1
+{{- if .Values.ingress.apiVersion -}}
-{{- else -}}
+{{- $apiVersion = .Values.ingress.apiVersion -}}
-apiVersion: extensions/v1beta1
+{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}}
+{{- $apiVersion = "networking.k8s.io/v1" }}
+{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" -}}
+{{- $apiVersion = "networking.k8s.io/v1beta1" }}
 {{- end }}
+apiVersion: {{ $apiVersion }}
 kind: Ingress
 metadata:
   name: {{ $fullName }}
@@ -16,6 +20,9 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
+{{- if .Values.ingress.className }}
+  ingressClassName: {{ .Values.ingress.className }}
+{{- end }}
 {{- if .Values.ingress.tls }}
   tls:
   {{- range .Values.ingress.tls }}
@@ -27,13 +34,25 @@ spec:
   {{- end }}
 {{- end }}
   rules:
-  {{- range .Values.ingress.hosts }}
+    {{- range .Values.ingress.hosts }}
-    - host: {{ . | quote }}
+    - host: {{ .host | quote }}
       http:
         paths:
-          - path: /
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- if and .pathType (eq $apiVersion "networking.k8s.io/v1") }}
+            pathType: {{ .pathType }}
+            {{- end }}
             backend:
+            {{- if eq $apiVersion "networking.k8s.io/v1" }}
+              service:
+                name: {{ $fullName }}-http
+                port:
+                  number: {{ $httpPort }}
+            {{- else }}
               serviceName: {{ $fullName }}-http
               servicePort: {{ $httpPort }}
-  {{- end }}
+            {{- end }}
+          {{- end }}
+    {{- end }}
 {{- end }}

templates/gitea/init.yaml

@@ -6,52 +6,145 @@ metadata:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 stringData:
-  init_gitea.sh: |-
+  configure_gpg_environment.sh: |-
-    #!/bin/bash
+    #!/usr/bin/env bash
+    set -eu
+
+    gpg --batch --import /raw/private.asc
+  init_directory_structure.sh: |-
+    #!/usr/bin/env bash
+
+    set -euo pipefail
+
+    {{- if .Values.initPreScript }}
+    # BEGIN: initPreScript
+    {{- with .Values.initPreScript -}}
+    {{ . | nindent 4}}
+    {{- end -}}
+    # END: initPreScript
+    {{- end }}
+
+    set -x
+
+    {{- if not .Values.image.rootless }}
+    chown 1000:1000 /data
+    {{- end }}
     mkdir -p /data/git/.ssh
     chmod -R 700 /data/git/.ssh
-    mkdir -p /data/gitea/conf
+    [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
-    cp /etc/gitea/conf/app.ini /data/gitea/conf/app.ini
+
-    chmod a+rwx /data/gitea/conf/app.ini
+    # prepare temp directory structure
-    nc -v -w2 -z {{ include "db.servicename" . }} {{ include "db.port" . }} && \
+    mkdir -p "${GITEA_TEMP}"
-    su git -c ' \
+    {{- if not .Values.image.rootless }}
-    set -x; \
+    chown 1000:1000 "${GITEA_TEMP}"
-    gitea migrate; \
-    {{- if and .Values.gitea.admin.username .Values.gitea.admin.password }}
-    gitea admin create-user --username  {{ .Values.gitea.admin.username }} --password '{{ .Values.gitea.admin.password }}' --email {{ .Values.gitea.admin.email }} --admin \
-    || \
-    gitea admin change-password --username {{ .Values.gitea.admin.username }} --password '{{ .Values.gitea.admin.password }}'; \
     {{- end }}
-    {{- if .Values.gitea.ldap.enabled }}
+    chmod ug+rwx "${GITEA_TEMP}"
-    gitea admin auth add-ldap \
+
-    --name {{ .Values.gitea.ldap.name | quote }} \
+    {{ if .Values.signing.enabled -}}
-    --security-protocol {{ .Values.gitea.ldap.securityProtocol | quote }} \
+    if [ ! -d "${GNUPGHOME}" ]; then
-    --host {{ .Values.gitea.ldap.host | quote }} \
+      mkdir -p "${GNUPGHOME}"
-    --port {{ .Values.gitea.ldap.port | int}} \
+      chmod 700 "${GNUPGHOME}"
-    --user-search-base {{ .Values.gitea.ldap.userSearchBase | quote }} \
+      chown 1000:1000 "${GNUPGHOME}"
-    --user-filter {{ .Values.gitea.ldap.userFilter | quote }} \
+    fi
-    --admin-filter {{ .Values.gitea.ldap.adminFilter | quote }} \
-    --email-attribute {{ .Values.gitea.ldap.emailAttribute | quote }} \
-    --bind-dn {{ .Values.gitea.ldap.bindDn | quote }} \
-    --bind-password {{ .Values.gitea.ldap.bindPassword | quote }} \
-    --synchronize-users \
-    --username-attribute {{ .Values.gitea.ldap.usernameAttribute | quote }} \
-    || \
-    ( \
-      export GITEA_AUTH_ID=$(gitea admin auth list | grep {{ .Values.gitea.ldap.name | quote }} | awk -F " "  "{print \$1}"); \
-      gitea admin auth update-ldap --id ${GITEA_AUTH_ID} \
-      --name {{ .Values.gitea.ldap.name | quote }} \
-      --security-protocol {{ .Values.gitea.ldap.securityProtocol | quote }} \
-      --host {{ .Values.gitea.ldap.host | quote }} \
-      --port {{ .Values.gitea.ldap.port | int}} \
-      --user-search-base {{ .Values.gitea.ldap.userSearchBase | quote }} \
-      --user-filter {{ .Values.gitea.ldap.userFilter | quote }} \
-      --admin-filter {{ .Values.gitea.ldap.adminFilter | quote }} \
-      --email-attribute {{ .Values.gitea.ldap.emailAttribute | quote }} \
-      --bind-dn {{ .Values.gitea.ldap.bindDn | quote }} \
-      --bind-password {{ .Values.gitea.ldap.bindPassword | quote }} \
-      --synchronize-users \
-      --username-attribute {{ .Values.gitea.ldap.usernameAttribute | quote }} \
-    ) \
     {{- end }}
-    '
+
+  configure_gitea.sh: |-
+    #!/usr/bin/env bash
+
+    set -euo pipefail
+
+    echo '==== BEGIN GITEA CONFIGURATION ===='
+
+    { # try
+      gitea migrate
+    } || { # catch
+      echo "Gitea migrate might fail due to database connection...This init-container will try again in a few seconds"
+      exit 1
+    }
+
+    {{- if include "redis.servicename" . }}
+    function test_redis_connection() {
+      local RETRY=0
+      local MAX=30
+      
+      echo 'Wait for redis to become avialable...'
+      until [ "${RETRY}" -ge "${MAX}" ]; do
+        nc -vz -w2 {{ include "redis.servicename" . }} {{ include "redis.port" . }} && break
+        RETRY=$[${RETRY}+1]
+        echo "...not ready yet (${RETRY}/${MAX})"
+      done
+
+      if [ "${RETRY}" -ge "${MAX}" ]; then
+        echo "Redis not reachable after '${MAX}' attempts!"
+        exit 1
+      fi
+    }
+
+    test_redis_connection
+    {{- end }}
+    
+
+    {{- if or .Values.gitea.admin.existingSecret (and .Values.gitea.admin.username .Values.gitea.admin.password) }}
+    function configure_admin_user() {
+      local ACCOUNT_ID=$(gitea admin user list --admin | grep -e "\s\+${GITEA_ADMIN_USERNAME}\s\+" | awk -F " " "{printf \$1}")
+      if [[ -z "${ACCOUNT_ID}" ]]; then
+        echo "No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now..."
+        gitea admin user create --admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }} --must-change-password=false
+        echo '...created.'
+      else
+        echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
+        gitea admin user change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}"
+        echo '...password sync done.'
+      fi
+    }
+
+    configure_admin_user
+    {{- end }}
+
+    function configure_ldap() {
+      {{- if .Values.gitea.ldap }}
+      {{- range $idx, $value := .Values.gitea.ldap }}
+      local LDAP_NAME={{ (printf "%s" $value.name) | squote }}
+      local GITEA_AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${LDAP_NAME}\s+\|" | grep -iE '\|LDAP \(via BindDN\)\s+\|' | awk -F " "  "{print \$1}")
+
+      if [[ -z "${GITEA_AUTH_ID}" ]]; then
+        echo "No ldap configuration found with name '${LDAP_NAME}'. Installing it now..."
+        gitea admin auth add-ldap {{- include "gitea.ldap_settings" (list $idx $value) | indent 1 }}
+        echo '...installed.'
+      else
+        echo "Existing ldap configuration with name '${LDAP_NAME}': '${GITEA_AUTH_ID}'. Running update to sync settings..."
+        gitea admin auth update-ldap --id "${GITEA_AUTH_ID}" {{- include "gitea.ldap_settings" (list $idx $value) | indent 1 }}
+        echo '...sync settings done.'
+      fi
+      {{- end }}
+      {{- else }}
+        echo 'no ldap configuration... skipping.'
+      {{- end }}
+    }
+
+    configure_ldap
+
+    function configure_oauth() {
+      {{- if .Values.gitea.oauth }}
+      {{- range $idx, $value := .Values.gitea.oauth }}
+      local OAUTH_NAME={{ (printf "%s" $value.name) | squote }}
+      local AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " "  "{print \$1}")
+
+      if [[ -z "${AUTH_ID}" ]]; then
+        echo "No oauth configuration found with name '${OAUTH_NAME}'. Installing it now..."
+        gitea admin auth add-oauth {{- include "gitea.oauth_settings" (list $idx $value) | indent 1 }}
+        echo '...installed.'
+      else
+        echo "Existing oauth configuration with name '${OAUTH_NAME}': '${AUTH_ID}'. Running update to sync settings..."
+        gitea admin auth update-oauth --id "${AUTH_ID}" {{- include "gitea.oauth_settings" (list $idx $value) | indent 1 }}
+        echo '...sync settings done.'
+      fi
+      {{- end }}
+      {{- else }}
+        echo 'no oauth configuration... skipping.'
+      {{- end }}
+    }
+
+    configure_oauth
+
+    echo '==== END GITEA CONFIGURATION ===='