Add loadbalancersourceranges to ssh service (#105 )

SSH service might want to limit the a range of source IPs. LoadBalancerSourceRanges enables to limit them just passing a list of CIDR addresses to whitelist Co-authored-by: javier <perezrubio.javier@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io> Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/105 Reviewed-by: luhahn <luhahn@noreply.gitea.io> Reviewed-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: JPRbrs <jprbrs@noreply.gitea.io> Co-committed-by: JPRbrs <jprbrs@noreply.gitea.io>
1.13.2 (#108 )
2021-02-05 04:42:42 +08:00 · 2021-02-05 01:46:55 +08:00 · 2021-01-22 16:24:37 +08:00 · 2021-01-21 23:45:26 +08:00 · 2021-01-20 19:28:39 +08:00 · 2021-01-14 15:13:49 +08:00
9 changed files with 155 additions and 13 deletions
--- a/Chart.yaml
+++ b/Chart.yaml
@ -3,7 +3,7 @@ name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
-appVersion: 1.13.1
+appVersion: 1.13.2
 icon: https://docs.gitea.io/images/gitea.png

 keywords:
--- a/README.md
+++ b/README.md
@ -95,6 +95,16 @@ ROOT_URL = http://git.example.com
 SSH_DOMAIN = git.example.com
 SSH_LISTEN_PORT = 22
 SSH_PORT = 22
+ENABLE_PPROF = false
+```
+
+#### Metrics defaults
+
+The Prometheus `/metrics` endpoint is disabled by default.
+
+```ini
+[metrics]
+ENABLED = false
 ```

 ### External Database
@ -224,6 +234,7 @@ You can interact with the postgres settings as displayed in the following exampl

 This chart enables you to create a default admin user. It is also possible to update the password for this user by upgrading or redeloying the chart.
 It is not possible to delete an admin user after it has been created. This has to be done in the ui.
+You cannot use `admin` as username.

 ```yaml
  gitea:
@ -256,6 +267,7 @@ camelCase:
      bindDn: CN=ldap read,OU=Spezial,DC=example,DC=com
      bindPassword: JustAnotherBindPw
      usernameAttribute: CN
+      sshPublicKeyAttribute: sshPublicKey
 ```

 kebab-case:
@ -277,6 +289,24 @@ kebab-case:
      username-attribute: CN
 ```

+### Metrics and profiling
+
+A Prometheus `/metrics` endpoint on the `HTTP_PORT` and `pprof` profiling endpoints on port 6060 can be enabled under `gitea`. Beware that the metrics endpoint is exposed via the ingress, manage access using ingress annotations for example.
+
+To deploy the `ServiceMonitor`, you first need to ensure that you have deployed `prometheus-operator` and its CRDs: https://github.com/prometheus-operator/prometheus-operator#customresourcedefinitions.
+
+```yaml
+gitea:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+
+  config:
+    server:
+      PPROF_ENABLED: true
+```
+
 ### Pod Annotations

 Annotations can be added to the Gitea pod.
@ -290,17 +320,20 @@ Annotations can be added to the Gitea pod.

 ### Others

-| Parameter           | Description                       | Default                      |
-|---------------------|-----------------------------------|------------------------------|
-|statefulset.terminationGracePeriodSeconds| Image to start for this pod | gitea/gitea |
-|statefulset.env           | Additional environment variables to pass to containers | [] |
+| Parameter                                 | Description                                            | Default     |
+|-------------------------------------------|--------------------------------------------------------|-------------|
+| statefulset.terminationGracePeriodSeconds | Image to start for this pod                            | gitea/gitea |
+| statefulset.env                           | Additional environment variables to pass to containers | []          |
+| extraVolumes                              | Additional volumes to mount to the Gitea statefulset   | {}          |
+| extraVolumeMounts                         | Additional volumes mounts for the Gitea containers     | {}          |
+| initPreScript                             | Bash script copied verbatim to start of init container |             |

 ### Image

 | Parameter           | Description                       | Default                      |
 |---------------------|-----------------------------------|------------------------------|
 |image.repository| Image to start for this pod | gitea/gitea |
-|image.tag| [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated) | 1.13.1 |
+|image.tag| [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated) | 1.13.2 |
 |image.pullPolicy| Image pull policy | Always |

 ### Persistence
@ -312,6 +345,8 @@ Annotations can be added to the Gitea pod.
 |persistence.size| Size for persistence to store repo information | 10Gi |
 |persistence.accessModes|AccessMode for persistence||
 |persistence.storageClass|Storage class for repository persistence||
+|persistence.labels|Labels for the persistence volume claim to be created|{}|
+|persistence.annotations|Annotations for the persistence volume claim to be created|{}|

 ### Ingress

--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@ -99,7 +99,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- range $key, $val := .Values.gitea.ldap -}}
 {{- if ne $key "enabled" -}}
 {{- if eq $key "port" -}}
-{{- printf "--%s %s " ($key | kebabcase) $val -}}
+{{- printf "--%s %d " ($key | kebabcase) ($val | int) -}}
 {{- else -}}
 {{- printf "--%s %s " ($key | kebabcase) ($val | quote) -}}
 {{- end -}}
--- a/templates/gitea/config.yaml
+++ b/templates/gitea/config.yaml
@ -15,6 +15,10 @@ stringData:
    {{- $_ := set .Values.gitea.config "server" dict -}}
    {{- end -}}

+    {{- if not (hasKey .Values.gitea.config "metrics") -}}
+    {{- $_ := set .Values.gitea.config "metrics" dict -}}
+    {{- end -}}
+
    {{- if not (hasKey .Values.gitea.config "database") -}}
    {{- $_ := set .Values.gitea.config "database" dict -}}
    {{- end -}}
@ -65,6 +69,14 @@ stringData:
    {{- if not (hasKey .Values.gitea.config.server "APP_DATA_PATH") -}}
    {{- $_ := set .Values.gitea.config.server "APP_DATA_PATH" "/data" -}}
    {{- end -}}
+    {{- if not (hasKey .Values.gitea.config.server "PPROF_ENABLED") -}}
+    {{- $_ := set .Values.gitea.config.server "PPROF_ENABLED" false -}}
+    {{- end -}}
+
+    {{- /* metrics default settings */ -}}
+    {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}}
+    {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
+    {{- end -}}

    {{- /* database default settings */ -}}
    {{- if .Values.gitea.database.builtIn.postgresql.enabled -}}
--- a/templates/gitea/init.yaml
+++ b/templates/gitea/init.yaml
@ -8,6 +8,14 @@ type: Opaque
 stringData:
  init_gitea.sh: |-
    #!/bin/bash
+    {{- if .Values.initPreScript }}
+    # BEGIN: initPreScript
+    {{- with .Values.initPreScript -}}
+    {{ . | nindent 4}}
+    {{- end -}}
+    # END: initPreScript
+    {{- end }}
+
    mkdir -p /data/git/.ssh
    chmod -R 700 /data/git/.ssh
    mkdir -p /data/gitea/conf
@ -32,4 +40,4 @@ stringData:
      {{- include "gitea.ldap_settings" . | nindent 6 }} \
    ) \
    {{- end }}
-    '
+    '
--- a/templates/gitea/servicemonitor.yaml
+++ b/templates/gitea/servicemonitor.yaml
@ -0,0 +1,14 @@
+{{- if .Values.gitea.metrics.serviceMonitor.enabled -}}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "gitea.fullname" . }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "gitea.selectorLabels" . | nindent 6 }}
+  endpoints:
+  - port: http
+{{- end -}}
--- a/templates/gitea/ssh-svc.yaml
+++ b/templates/gitea/ssh-svc.yaml
@ -8,8 +8,16 @@ metadata:
    {{- toYaml .Values.service.ssh.annotations | nindent 4 }}
 spec:
  type: {{ .Values.service.ssh.type }}
-  {{- if and .Values.service.ssh.loadBalancerIP (eq .Values.service.ssh.type "LoadBalancer") }}
+  {{- if eq .Values.service.ssh.type "LoadBalancer" }}
+  {{- if .Values.service.ssh.loadBalancerIP }}
  loadBalancerIP: {{ .Values.service.ssh.loadBalancerIP }}
+  {{- end -}}
+  {{- if .Values.service.ssh.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+  {{- range .Values.service.ssh.loadBalancerSourceRanges }}
+    - {{ . }}
+  {{- end }}
+  {{- end }}
  {{- end }}
  {{- if and .Values.service.ssh.clusterIP (eq .Values.service.ssh.type "ClusterIP") }}
  clusterIP: {{ .Values.service.ssh.clusterIP }}
--- a/templates/gitea/statefulset.yaml
+++ b/templates/gitea/statefulset.yaml
@ -14,6 +14,7 @@ spec:
    metadata:
      annotations:
        checksum/config: {{ include (print $.Template.BasePath "/gitea/config.yaml") . | sha256sum }}
+        checksum/ldap: {{ include "gitea.ldap_settings" . | sha256sum }}
        {{- with .Values.gitea.podAnnotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
@ -30,6 +31,11 @@ spec:
        - name: init
          image: "{{ .Values.image.repository }}:{{ ternary .Values.image.version .Values.image.tag (hasKey .Values.image "version") }}"
          command: ["/usr/sbin/init_gitea.sh"]
+          env:
+          {{- range .Values.statefulset.env }}
+          - name: {{ .name | quote | nospace }}
+            value: {{ .value | quote }}
+          {{- end }}
          volumeMounts:
            - name: init
              mountPath: /usr/sbin
@ -37,6 +43,9 @@ spec:
              mountPath: /etc/gitea/conf
            - name: data
              mountPath: /data
+            {{- if .Values.extraVolumeMounts }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- end }}
      terminationGracePeriodSeconds: {{ .Values.statefulset.terminationGracePeriodSeconds }}
      containers:
        - name: {{ .Chart.Name }}
@ -57,6 +66,10 @@ spec:
              containerPort: {{ .Values.gitea.config.server.SSH_LISTEN_PORT }}
            - name: http
              containerPort: {{ .Values.gitea.config.server.HTTP_PORT }}
+            {{- if .Values.gitea.config.server.PPROF_ENABLED }}
+            - name: profiler
+              containerPort: 6060
+            {{- end }}
          livenessProbe:
            tcpSocket:
              port: http
@ -77,6 +90,9 @@ spec:
          volumeMounts:
            - name: data
              mountPath: /data
+            {{- if .Values.extraVolumeMounts }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
@ -97,6 +113,9 @@ spec:
        - name: config
          secret:
            secretName: {{ include "gitea.fullname" . }}
+        {{- if .Values.extraVolumes }}
+        {{- toYaml .Values.extraVolumes | nindent 8 }}
+        {{- end }}
  {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
        - name: data
          persistentVolumeClaim:
@ -108,6 +127,18 @@ spec:
  volumeClaimTemplates:
    - metadata:
        name: data
+      {{- with .Values.persistence.annotations }}
+        annotations:
+        {{- range $key, $value := . }}
+          {{ $key }}: {{ $value }}
+        {{- end }}
+      {{- end }}
+      {{- with .Values.persistence.labels }}
+        labels:
+        {{- range $key, $value := . }}
+          {{ $key }}: {{ $value }}
+        {{- end }}
+      {{- end }}
      spec:
        accessModes:
          {{- range .Values.persistence.accessModes }}
--- a/values.yaml
+++ b/values.yaml
@ -8,7 +8,7 @@ clusterDomain: cluster.local

 image:
  repository: gitea/gitea
-  tag: 1.13.1
+  tag: 1.13.2
  pullPolicy: Always

 imagePullSecrets: []
@ -29,6 +29,7 @@ service:
    #nodePort:
    #externalTrafficPolicy:
    #externalIPs:
+    loadBalancerSourceRanges: []
    annotations:

 ingress:
@ -69,10 +70,37 @@ statefulset:

 persistence:
  enabled: true
-  # existingClaim: 
+  # existingClaim:
  size: 10Gi
  accessModes:
    - ReadWriteOnce
+  labels: {}
+  annotations: {}
+
+# additional volumes to add to the Gitea statefulset.
+extraVolumes:
+# - name: postgres-ssl-vol
+#   secret:
+#     secretName: gitea-postgres-ssl
+
+
+# additional volumes to mount, both to the init container and to the main
+# container. As an example, can be used to mount a client cert when connecting
+# to an external Postgres server.
+extraVolumeMounts:
+# - name: postgres-ssl-vol
+#   readOnly: true
+#   mountPath: "/pg-ssl"
+
+# bash shell script copied verbatim to the start of the init-container.
+initPreScript: ""
+#
+# initPreScript: |
+#   mkdir -p /data/git/.postgresql
+#   cp /pg-ssl/* /data/git/.postgresql/
+#   chown -R git:git /data/git/.postgresql/
+#   chmod 400 /data/git/.postgresql/postgresql.key
+

 gitea:
  admin:
@ -80,6 +108,11 @@ gitea:
    password: r8sA8CPHD9!bt6d
    email: "gitea@local.domain"

+  metrics:
+    enabled: false
+    serviceMonitor:
+      enabled: false
+
  ldap:
    enabled: false
    #name: 
@ -93,11 +126,12 @@ gitea:
    #bindDn: 
    #bindPassword: 
    #usernameAttribute: 
+    #sshPublicKeyAttribute:

  config: {}
  #  APP_NAME: "Gitea: Git with a cup of tea"
-  #  RUN_MODE: dev   
-  #   
+  #  RUN_MODE: dev
+  #
  #  server:
  #    SSH_PORT: 22
  #
Author	SHA1	Message	Date
JPRbrs	28e94f96e3	Add loadbalancersourceranges to ssh service (#105 ) SSH service might want to limit the a range of source IPs. LoadBalancerSourceRanges enables to limit them just passing a list of CIDR addresses to whitelist Co-authored-by: javier <perezrubio.javier@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io> Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/105 Reviewed-by: luhahn <luhahn@noreply.gitea.io> Reviewed-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: JPRbrs <jprbrs@noreply.gitea.io> Co-committed-by: JPRbrs <jprbrs@noreply.gitea.io>	2021-02-05 04:42:42 +08:00
techknowlogick	b5ab7201d1	1.13.2 (#108 ) Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/108 Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com> Reviewed-by: luhahn <luhahn@noreply.gitea.io> Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-committed-by: techknowlogick <techknowlogick@gitea.io>	2021-02-05 01:46:55 +08:00
sanigo	4ad5cf1d19	Add sshPublicKeyAttribute attribute setting for ldap auth，and Allow setting labels and annotations for gitea pvc. (#76 ) 1. sshPublicKeyAttribute is useful to sync ssh public keys from ldap. 2. It would be easier to set pvc annotations/labels for those who are using storage services from cloud providers. Co-authored-by: 钱卫春 <qianwch@chinasofti.com> Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/76 Reviewed-by: techknowlogick <techknowlogick@gitea.io> Reviewed-by: luhahn <luhahn@noreply.gitea.io> Co-authored-by: sanigo <sanigo@noreply.gitea.io> Co-committed-by: sanigo <sanigo@noreply.gitea.io>	2021-01-22 16:24:37 +08:00
JosefWN	7f828e87f6	Add support for metrics and pprof (#100 ) Adds support for toggling support for `pprof` and metrics: ```yaml gitea: pprofEnabled: true metrics: enabled: true serviceMonitor: enabled: true ``` Co-authored-by: josef <josef.nilsen@outlook.com> Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/100 Reviewed-by: luhahn <luhahn@noreply.gitea.io> Reviewed-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: JosefWN <josefwn@noreply.gitea.io> Co-committed-by: JosefWN <josefwn@noreply.gitea.io>	2021-01-21 23:45:26 +08:00
petergardfjall	57479bdf37	enhancements to support postgres client-cert authentication (#47 ) This PR adds a few new chart features which adds to the flexibility of the chart. - allow extra volumes to be mounted (such as secrets): 2f862c5a48 - pass environment variables also to the init-container: 7044049478 - allow a preparation script to be "injected" into the init-container: 6125a69345 As a concrete example of how this can be used, I use is to configure Gitea to use client certificate authentication against an external Postgres database. That could be accomplished by having a `gitea-postgres-ssl` secret: ``` apiVersion: v1 kind: Secret type: Opaque metadata: name: gitea-postgres-ssl data: postgresql.crt: <base64...> postgresql.key: <base64...> root.crt: <base64...> ``` and then mounting this as a volume in Gitea using: ``` extraVolumes: - name: postgres-ssl-vol secret: secretName: gitea-postgres-ssl extraVolumeMounts: - name: postgres-ssl-vol readOnly: true mountPath: "/pg-ssl" ``` To get the right permissions on the credentials, we'd use the `initPreScript`: ``` initPreScript: \| # copy postgres client and CA cert from mount and # give proper permissions mkdir -p /data/git/.postgresql cp /pg-ssl/* /data/git/.postgresql/ chown -R git:git /data/git/.postgresql/ chmod 400 /data/git/.postgresql/postgresql.key ``` and to make sure that Gitea uses the certificate we need to pass the proper postgres environment variables (both to the init container and the "main" container): ``` statefulset: env: - name: "PGSSLCERT" value: "/data/git/.postgresql/postgresql.crt" - name: "PGSSLKEY" value: "/data/git/.postgresql/postgresql.key" - name: "PGSSLROOTCERT" value: "/data/git/.postgresql/root.crt" ``` Co-authored-by: Peter Gardfjäll <peter.gardfjall.work@gmail.com> Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/47 Reviewed-by: luhahn <luhahn@noreply.gitea.io> Reviewed-by: 6543 <6543@obermui.de> Co-authored-by: petergardfjall <petergardfjall@noreply.gitea.io> Co-committed-by: petergardfjall <petergardfjall@noreply.gitea.io>	2021-01-20 19:28:39 +08:00
luhahn	0c8f226f1f	Add ldap checksum (#101 ) Fixed an error in ldap port setting. Added ldap checksum to deployment so chart will actually update on ldap changes. Fixes: #99 Co-authored-by: Lucas Hahn <lucas.hahn@novum-rgi.de> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/101 Reviewed-by: lafriks <lafriks@noreply.gitea.io> Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: luhahn <luhahn@noreply.gitea.io> Co-committed-by: luhahn <luhahn@noreply.gitea.io>	2021-01-14 15:13:49 +08:00
fabioluciano	daba777e24	Update 'README.md' (#102 ) Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/102 Reviewed-by: luhahn <luhahn@noreply.gitea.io> Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: fabioluciano <fabioluciano@noreply.gitea.io> Co-committed-by: fabioluciano <fabioluciano@noreply.gitea.io>	2021-01-13 23:49:58 +08:00