Several Improvements to Helm Chart (#87)

Improve ldap settings with helper function

Allow clusterIP for http service to be set, default to None

Use imagePullSecrets in statefulset now

Update default values

Update README

Bump Chart version

Co-authored-by: luhahn <lucas.hahn@novum-rgi.de>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/87
Reviewed-by: lafriks <lafriks@noreply.gitea.io>
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-Authored-By: luhahn <luhahn@noreply.gitea.io>
Co-Committed-By: luhahn <luhahn@noreply.gitea.io>

Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
-version: 2.0.6
-appVersion: 1.12.6
+version: 2.1.3
+appVersion: 1.13.0
 icon: https://docs.gitea.io/images/gitea.png
 
 keywords:

README.md

@@ -132,6 +132,34 @@ By default port 3000 is used for web traffic and 22 for ssh. Those can be change
 
 This helmchart automatically configures the clone urls to use the correct ports. You can change these ports by hand using the gitea.config dict. However you should know what you're doing.
 
+### ClusterIP
+
+By default the clusterIP will be set to None, which is the default for headless services. However if you want to omit the clusterIP field in the service, use the following values:
+
+```yaml
+service:
+  http:
+    type: ClusterIP
+    port: 3000
+    clusterIP:
+  ssh:
+    type: ClusterIP
+    port: 22
+    clusterIP:
+```
+
+### SSH and Ingress
+
+If you're using ingress and wan't to use SSH, keep in mind, that ingress is not able to forward SSH Ports.
+You will need a LoadBalancer like metallb and a setting in your ssh service annotations.
+
+```yaml
+service:
+  ssh:
+    annotations:
+      metallb.universe.tf/allow-shared-ip: test
+```
+
 ### Cache
 
 This helm chart can use a built in cache. The default is memcached from bitnami.
@@ -208,6 +236,10 @@ It is not possible to delete an admin user after it has been created. This has t
 ### LDAP Settings
 
 Like the admin user the ldap settings can be updated but also disabled or deleted.
+All ldap values from https://docs.gitea.io/en-us/command-line/#admin are available.
+You can either use them in camel case or kebab case.
+
+camelCase:
 
 ```yaml
   gitea:
@@ -226,6 +258,25 @@ Like the admin user the ldap settings can be updated but also disabled or delete
       usernameAttribute: CN
 ```
 
+kebab-case:
+
+```yaml
+  gitea:
+    ldap:
+      enabled: true
+      name: 'MyAwesomeGiteaLdap'
+      security-protocol: unencrypted
+      host: "127.0.0.1"
+      port: "389"
+      user-search-base: ou=Users,dc=example,dc=com
+      user-filter: sAMAccountName=%s
+      admin-filter: CN=Admin,CN=Group,DC=example,DC=com
+      email-attribute: mail
+      bind-dn: CN=ldap read,OU=Spezial,DC=example,DC=com
+      bind-password: JustAnotherBindPw
+      username-attribute: CN
+```
+
 ### Pod Annotations
 
 Annotations can be added to the Gitea pod.
@@ -249,7 +300,7 @@ Annotations can be added to the Gitea pod.
 | Parameter           | Description                       | Default                      |
 |---------------------|-----------------------------------|------------------------------|
 |image.repository| Image to start for this pod | gitea/gitea |
-|image.version| Image Version | 1.12.6 |
+|image.version| Image Version | 1.13.0 |
 |image.pullPolicy| Image pull policy | Always |
 
 ### Persistence

templates/_helpers.tpl

@@ -95,3 +95,14 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- printf "%s-gitea.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{- define "gitea.ldap_settings" -}}
+{{- range $key, $val := .Values.gitea.ldap -}}
+{{- if ne $key "enabled" -}}
+{{- if eq $key "port" -}}
+{{- printf "--%s %s " ($key | kebabcase) $val -}}
+{{- else -}}
+{{- printf "--%s %s " ($key | kebabcase) ($val | quote) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}

templates/gitea/http-svc.yaml

@@ -11,8 +11,8 @@ spec:
   {{- if and .Values.service.http.loadBalancerIP (eq .Values.service.http.type "LoadBalancer") }}
   loadBalancerIP: {{ .Values.service.http.loadBalancerIP  }}
   {{- end }}
-  {{ if eq .Values.service.http.type "ClusterIP" }}
-  clusterIP: None
+  {{- if and .Values.service.http.clusterIP (eq .Values.service.http.type "ClusterIP") }}
+  clusterIP: {{ .Values.service.http.clusterIP }}
   {{- end }}
   ports:
   - name: http

templates/gitea/ingress.yaml

@@ -1,9 +1,9 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "gitea.fullname" . -}}
 {{- $httpPort := .Values.service.http.port -}}
-{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}}
 apiVersion: networking.k8s.io/v1
-{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" -}}
 apiVersion: networking.k8s.io/v1beta1
 {{- else -}}
 apiVersion: extensions/v1beta1
@@ -34,13 +34,16 @@ spec:
       http:
         paths:
           - path: /
+            {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+            pathType: Prefix
+            {{- end }}
             backend:
-            {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion -}}
+            {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
               service:
                 name: {{ $fullName }}-http
                 port:
                   number: {{ $httpPort }}
-            {{- else -}}
+            {{- else }}
               serviceName: {{ $fullName }}-http
               servicePort: {{ $httpPort }}
             {{- end }}

templates/gitea/init.yaml

@@ -18,40 +18,18 @@ stringData:
     set -x; \
     gitea migrate; \
     {{- if and .Values.gitea.admin.username .Values.gitea.admin.password }}
-    gitea admin create-user --username  {{ .Values.gitea.admin.username }} --password '{{ .Values.gitea.admin.password }}' --email {{ .Values.gitea.admin.email }} --admin \
+    gitea admin create-user --username  {{ .Values.gitea.admin.username }} --password '{{ .Values.gitea.admin.password }}' --email {{ .Values.gitea.admin.email }} --admin --must-change-password=false \
     || \
     gitea admin change-password --username {{ .Values.gitea.admin.username }} --password '{{ .Values.gitea.admin.password }}'; \
     {{- end }}
     {{- if .Values.gitea.ldap.enabled }}
     gitea admin auth add-ldap \
-    --name {{ .Values.gitea.ldap.name | quote }} \
-    --security-protocol {{ .Values.gitea.ldap.securityProtocol | quote }} \
-    --host {{ .Values.gitea.ldap.host | quote }} \
-    --port {{ .Values.gitea.ldap.port | int}} \
-    --user-search-base {{ .Values.gitea.ldap.userSearchBase | quote }} \
-    --user-filter {{ .Values.gitea.ldap.userFilter | quote }} \
-    --admin-filter {{ .Values.gitea.ldap.adminFilter | quote }} \
-    --email-attribute {{ .Values.gitea.ldap.emailAttribute | quote }} \
-    --bind-dn {{ .Values.gitea.ldap.bindDn | quote }} \
-    --bind-password {{ .Values.gitea.ldap.bindPassword | quote }} \
-    --synchronize-users \
-    --username-attribute {{ .Values.gitea.ldap.usernameAttribute | quote }} \
+    {{- include "gitea.ldap_settings" . | nindent 6 }} \
     || \
     ( \
       export GITEA_AUTH_ID=$(gitea admin auth list | grep {{ .Values.gitea.ldap.name | quote }} | awk -F " "  "{print \$1}"); \
       gitea admin auth update-ldap --id ${GITEA_AUTH_ID} \
-      --name {{ .Values.gitea.ldap.name | quote }} \
-      --security-protocol {{ .Values.gitea.ldap.securityProtocol | quote }} \
-      --host {{ .Values.gitea.ldap.host | quote }} \
-      --port {{ .Values.gitea.ldap.port | int}} \
-      --user-search-base {{ .Values.gitea.ldap.userSearchBase | quote }} \
-      --user-filter {{ .Values.gitea.ldap.userFilter | quote }} \
-      --admin-filter {{ .Values.gitea.ldap.adminFilter | quote }} \
-      --email-attribute {{ .Values.gitea.ldap.emailAttribute | quote }} \
-      --bind-dn {{ .Values.gitea.ldap.bindDn | quote }} \
-      --bind-password {{ .Values.gitea.ldap.bindPassword | quote }} \
-      --synchronize-users \
-      --username-attribute {{ .Values.gitea.ldap.usernameAttribute | quote }} \
+      {{- include "gitea.ldap_settings" . | nindent 6 }} \
     ) \
     {{- end }}
     '

templates/gitea/ssh-svc.yaml

@@ -11,8 +11,8 @@ spec:
   {{- if and .Values.service.ssh.loadBalancerIP (eq .Values.service.ssh.type "LoadBalancer") }}
   loadBalancerIP: {{ .Values.service.ssh.loadBalancerIP }}
   {{- end }}
-  {{- if eq .Values.service.ssh.type "ClusterIP" }}
-  clusterIP: None
+  {{- if and .Values.service.ssh.clusterIP (eq .Values.service.ssh.type "ClusterIP") }}
+  clusterIP: {{ .Values.service.ssh.clusterIP }}
   {{- end }}
   {{- if .Values.service.ssh.externalIPs }}
   externalIPs:

templates/gitea/statefulset.yaml

@@ -20,6 +20,10 @@ spec:
       labels:
         {{- include "gitea.selectorLabels" . | nindent 8 }}
     spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       securityContext:
         fsGroup: 1000
       initContainers:

values.yaml

@@ -8,7 +8,7 @@ clusterDomain: cluster.local
 
 image:
   repository: gitea/gitea
-  version: 1.12.6
+  version: 1.13.0
   pullPolicy: Always
 
 imagePullSecrets: []
@@ -17,10 +17,14 @@ service:
   http:
     type: ClusterIP
     port: 3000
+    clusterIP: None
+    #loadBalancerIP:
+    #nodePort:
     annotations:
   ssh:
     type: ClusterIP
     port: 22
+    clusterIP: None
     #loadBalancerIP:
     #nodePort:
     #externalTrafficPolicy: