Compare commits
18 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
a466206d9e | ||
|
80032dfc5c | ||
|
52ed32ae74 | ||
|
b06b3edf1d | ||
|
a7bc46015e | ||
|
46b190adda | ||
|
d94226765d | ||
|
844c8daa0b | ||
|
982ae60d8e | ||
|
62b82459de | ||
|
9530967163 | ||
|
d35de55248 | ||
|
78b5858009 | ||
|
1a3ce54dfc | ||
|
6896c7caae | ||
|
7bdf742e81 | ||
|
f2948646ba | ||
|
c010c3857e |
@ -10,14 +10,14 @@ platform:
|
||||
steps:
|
||||
- name: helm lint
|
||||
pull: always
|
||||
image: alpine:3.13
|
||||
image: alpine:3.15
|
||||
commands:
|
||||
- apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
|
||||
- helm lint
|
||||
|
||||
- name: helm template
|
||||
pull: always
|
||||
image: alpine:3.13
|
||||
image: alpine:3.15
|
||||
commands:
|
||||
- apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
|
||||
- helm dependency update
|
||||
@ -58,7 +58,7 @@ trigger:
|
||||
steps:
|
||||
- name: generate-chart
|
||||
pull: always
|
||||
image: alpine:3.13
|
||||
image: alpine:3.15
|
||||
commands:
|
||||
- apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
|
||||
- apk add --no-cache curl
|
||||
@ -74,8 +74,7 @@ steps:
|
||||
image: plugins/s3:latest
|
||||
settings:
|
||||
bucket: gitea-artifacts
|
||||
endpoint: https://storage.gitea.io
|
||||
path_style: true
|
||||
endpoint: https://ams3.digitaloceanspaces.com
|
||||
access_key:
|
||||
from_secret: aws_access_key_id
|
||||
secret_key:
|
||||
|
@ -3,7 +3,7 @@ name: gitea
|
||||
description: Gitea Helm chart for Kubernetes
|
||||
type: application
|
||||
version: 0.0.0
|
||||
appVersion: 1.15.8
|
||||
appVersion: 1.16.8
|
||||
icon: https://docs.gitea.io/images/gitea.png
|
||||
|
||||
keywords:
|
||||
|
75
README.md
75
README.md
@ -239,7 +239,7 @@ service and ingress settings. All defaults can be overwritten in `gitea.config`.
|
||||
INSTALL_LOCK is always set to true, since we want to configure Gitea with this
|
||||
helm chart and everything is taken care of.
|
||||
|
||||
*All default settings are made directly in the generated app.ini, not in the Values.*
|
||||
_All default settings are made directly in the generated app.ini, not in the Values._
|
||||
|
||||
#### Database defaults
|
||||
|
||||
@ -341,6 +341,55 @@ data:
|
||||
ENABLED=true
|
||||
```
|
||||
|
||||
Or when using a Kubernetes secret, having the same data structure:
|
||||
|
||||
```yaml
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: gitea-security-related-configuration
|
||||
type: Opaque
|
||||
stringData:
|
||||
security: |
|
||||
PASSWORD_COMPLEXITY=off
|
||||
session: |
|
||||
SAME_SITE=strict
|
||||
```
|
||||
|
||||
#### User defined environment variables in app.ini
|
||||
|
||||
Users are able to define their own environment variables,
|
||||
which are loaded into the containers. We also support to
|
||||
directly interact with the generated _app.ini_.
|
||||
|
||||
To inject self defined variables into the _app.ini_ a
|
||||
certain format needs to be honored. This is
|
||||
described in detail on the [env-to-ini](https://github.com/go-gitea/gitea/tree/main/contrib/environment-to-ini)
|
||||
page.
|
||||
|
||||
Note that the Prefix on this helm chart is `ENV_TO_INI`.
|
||||
|
||||
For example a database setting needs to have the following
|
||||
format:
|
||||
|
||||
```yaml
|
||||
gitea:
|
||||
additionalConfigFromEnvs:
|
||||
- name: ENV_TO_INI__DATABASE__HOST
|
||||
value: my.own.host
|
||||
- name: ENV_TO_INI__DATABASE__PASSWD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: postgres-secret
|
||||
key: password
|
||||
```
|
||||
|
||||
Priority (highest to lowest) for defining app.ini variables:
|
||||
|
||||
1. Environment variables prefixed with `ENV_TO_INI`
|
||||
2. Additional config sources
|
||||
3. Values defined in `gitea.config`
|
||||
|
||||
### External Database
|
||||
|
||||
An external Database can be used instead of builtIn PostgreSQL or MySQL.
|
||||
@ -396,7 +445,7 @@ service:
|
||||
|
||||
### SSH and Ingress
|
||||
|
||||
If you're using ingress and won't to use SSH, keep in mind, that ingress is not
|
||||
If you're using ingress and want to use SSH, keep in mind, that ingress is not
|
||||
able to forward SSH Ports. You will need a LoadBalancer like `metallb` and a
|
||||
setting in your ssh service annotations.
|
||||
|
||||
@ -669,6 +718,7 @@ gitea:
|
||||
|
||||
| Parameter | Description | Default |
|
||||
| ------------------------------------------- | -------------------------------------------------------------------- | ------- |
|
||||
| `statefulset.annotations` | Annotations for the Gitea StatefulSet to be created | `{}` |
|
||||
| `statefulset.terminationGracePeriodSeconds` | How long to wait until forcefully kill the pod | `60` |
|
||||
| `statefulset.env` | Additional environment variables to pass to containers | `[]` |
|
||||
| `extraVolumes` | Additional volumes to mount to the Gitea statefulset | `{}` |
|
||||
@ -680,12 +730,12 @@ gitea:
|
||||
|
||||
### Image
|
||||
|
||||
| Parameter | Description | Default |
|
||||
| ------------------ | ----------------------------------------------------------------------------------------- | ------------- |
|
||||
| `image.repository` | Image to start for this pod | `gitea/gitea` |
|
||||
| `image.tag` | [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated) | `1.15.8` |
|
||||
| `image.pullPolicy` | Image pull policy | `Always` |
|
||||
| `image.rootless` | Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher | `false` |
|
||||
| Parameter | Description | Default |
|
||||
| ------------------ | ----------------------------------------------------------------------------------------- | ---------------------------------- |
|
||||
| `image.repository` | Image to start for this pod | `gitea/gitea` |
|
||||
| `image.tag` | [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated) | see [Chart.AppVersion](Chart.yaml) |
|
||||
| `image.pullPolicy` | Image pull policy | `Always` |
|
||||
| `image.rootless` | Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher | `false` |
|
||||
|
||||
### Persistence
|
||||
|
||||
@ -726,9 +776,13 @@ gitea:
|
||||
| `service.http.nodePort` | NodePort for http service | |
|
||||
| `service.http.externalTrafficPolicy` | If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation | |
|
||||
| `service.http.externalIPs` | http service external IP addresses | |
|
||||
| `service.http.ipFamilyPolicy` | http service dual-stack policy | |
|
||||
| `service.http.ipFamilies` | http service dual-stack familiy selection | |
|
||||
| `service.http.loadBalancerSourceRanges` | Source range filter for http loadbalancer | `[]` |
|
||||
| `service.http.annotations` | http service annotations | |
|
||||
|
||||
For dual-stack parameters see official kubernetes [dual-stack concept documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/).
|
||||
|
||||
#### SSH
|
||||
|
||||
| Parameter | Description | Default |
|
||||
@ -737,11 +791,16 @@ gitea:
|
||||
| `service.ssh.port` | Port for ssh traffic | `22` |
|
||||
| `service.ssh.loadBalancerIP` | LoadBalancer Ip setting | |
|
||||
| `service.ssh.nodePort` | NodePort for ssh service | |
|
||||
| `service.ssh.hostPort` | HostPort for ssh service | |
|
||||
| `service.ssh.externalTrafficPolicy` | If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation | |
|
||||
| `service.ssh.externalIPs` | ssh service external IP addresses | |
|
||||
| `service.ssh.ipFamilyPolicy` | ssh service dual-stack policy | |
|
||||
| `service.ssh.ipFamilies` | ssh service dual-stack familiy selection | |
|
||||
| `service.ssh.loadBalancerSourceRanges` | Source range filter for ssh loadbalancer | `[]` |
|
||||
| `service.ssh.annotations` | ssh service annotations | |
|
||||
|
||||
For dual-stack parameters see official kubernetes [dual-stack concept documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/).
|
||||
|
||||
### Gitea Configuration
|
||||
|
||||
| Parameter | Description | Default |
|
||||
|
@ -36,7 +36,7 @@ Create image name and tag used by the deployment.
|
||||
*/}}
|
||||
{{- define "gitea.image" -}}
|
||||
{{- $name := .Values.image.repository -}}
|
||||
{{- $tag := ternary .Values.image.version .Values.image.tag (hasKey .Values.image "version") -}}
|
||||
{{- $tag := .Values.image.tag | default .Chart.AppVersion -}}
|
||||
{{- $rootless := ternary "-rootless" "" (.Values.image.rootless) -}}
|
||||
{{- printf "%s:%s%s" $name $tag $rootless -}}
|
||||
{{- end -}}
|
||||
@ -48,10 +48,8 @@ Common labels
|
||||
helm.sh/chart: {{ include "gitea.chart" . }}
|
||||
app: {{ include "gitea.name" . }}
|
||||
{{ include "gitea.selectorLabels" . }}
|
||||
{{- if .Chart.AppVersion }}
|
||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||
version: {{ .Chart.AppVersion | quote }}
|
||||
{{- end }}
|
||||
app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
|
||||
version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
{{- end -}}
|
||||
|
||||
@ -63,30 +61,6 @@ app.kubernetes.io/name: {{ include "gitea.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "db.servicename" -}}
|
||||
{{- if .Values.postgresql.enabled -}}
|
||||
{{- printf "%s-postgresql" .Release.Name -}}
|
||||
{{- else if .Values.mysql.enabled -}}
|
||||
{{- printf "%s-mysql" .Release.Name -}}
|
||||
{{- else if .Values.mariadb.enabled -}}
|
||||
{{- printf "%s-mariadb" .Release.Name -}}
|
||||
{{- else if ne .Values.gitea.config.database.DB_TYPE "sqlite3" -}}
|
||||
{{- $parts := split ":" .Values.gitea.config.database.HOST -}}
|
||||
{{- printf "%s %s" $parts._0 $parts._1 -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "db.port" -}}
|
||||
{{- if .Values.postgresql.enabled -}}
|
||||
{{ .Values.postgresql.global.postgresql.servicePort }}
|
||||
{{- else if .Values.mysql.enabled -}}
|
||||
{{ .Values.mysql.service.port }}
|
||||
{{- else if .Values.mariadb.enabled -}}
|
||||
{{ .Values.mariadb.primary.service.port }}
|
||||
{{- else -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "postgresql.dns" -}}
|
||||
{{- printf "%s-postgresql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.postgresql.global.postgresql.servicePort -}}
|
||||
{{- end -}}
|
||||
|
@ -63,6 +63,41 @@ stringData:
|
||||
export "ENV_TO_INI__${masked_section^^}__${setting^^}=${value}" # '^^' makes the variable content uppercase
|
||||
}
|
||||
|
||||
function env2ini::reload_preset_envs() {
|
||||
env2ini::log "Reloading preset envs..."
|
||||
|
||||
while read -r line; do
|
||||
if [[ -z "${line}" ]]; then
|
||||
# skip empty line
|
||||
return
|
||||
fi
|
||||
|
||||
# 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
|
||||
local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
|
||||
|
||||
if [[ -z "${setting}" ]]; then
|
||||
env2ini::log ' ! invalid setting'
|
||||
exit 1
|
||||
fi
|
||||
|
||||
local value=''
|
||||
local regex="^${setting}(\s*)=(\s*)(.*)"
|
||||
if [[ $line =~ $regex ]]; then
|
||||
value="${BASH_REMATCH[3]}"
|
||||
else
|
||||
env2ini::log ' ! invalid setting'
|
||||
exit 1
|
||||
fi
|
||||
|
||||
env2ini::log " + '${setting}'"
|
||||
|
||||
export "${setting^^}=${value}" # '^^' makes the variable content uppercase
|
||||
done < "/tmp/existing-envs"
|
||||
|
||||
rm /tmp/existing-envs
|
||||
}
|
||||
|
||||
|
||||
function env2ini::process_config_file() {
|
||||
local config_file="${1}"
|
||||
local section="$(basename "${config_file}")"
|
||||
@ -104,12 +139,17 @@ stringData:
|
||||
env2ini::log "...Initial secrets generated\n"
|
||||
}
|
||||
|
||||
env | (grep ENV_TO_INI || [[ $? == 1 ]]) > /tmp/existing-envs
|
||||
|
||||
# MUST BE CALLED BEFORE OTHER CONFIGURATION
|
||||
env2ini::generate_initial_secrets
|
||||
|
||||
env2ini::load_config_sources '/env-to-ini-mounts/inlines/'
|
||||
env2ini::load_config_sources '/env-to-ini-mounts/additionals/'
|
||||
|
||||
# load existing envs to override auto generated envs
|
||||
env2ini::reload_preset_envs
|
||||
|
||||
env2ini::log "=== All configuration sources loaded ===\n"
|
||||
|
||||
# safety to prevent rewrite of secret keys if an app.ini already exists
|
||||
|
@ -21,6 +21,13 @@ spec:
|
||||
externalIPs:
|
||||
{{- toYaml .Values.service.http.externalIPs | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.service.http.ipFamilyPolicy }}
|
||||
ipFamilyPolicy: {{ .Values.service.http.ipFamilyPolicy }}
|
||||
{{- end }}
|
||||
{{- with .Values.service.http.ipFamilies }}
|
||||
ipFamilies:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end -}}
|
||||
{{- if .Values.service.http.externalTrafficPolicy }}
|
||||
externalTrafficPolicy: {{ .Values.service.http.externalTrafficPolicy }}
|
||||
{{- end }}
|
||||
|
@ -40,31 +40,15 @@ stringData:
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
{{- if include "db.servicename" . }}
|
||||
# Connection retry inspired by https://gist.github.com/dublx/e99ea94858c07d2ca6de
|
||||
function test_db_connection() {
|
||||
local RETRY=0
|
||||
local MAX=30
|
||||
|
||||
echo 'Wait for database to become avialable...'
|
||||
until [ "${RETRY}" -ge "${MAX}" ]; do
|
||||
nc -vz -w2 {{ include "db.servicename" . }} {{ include "db.port" . }} && break
|
||||
RETRY=$[${RETRY}+1]
|
||||
echo "...not ready yet (${RETRY}/${MAX})"
|
||||
done
|
||||
|
||||
if [ "${RETRY}" -ge "${MAX}" ]; then
|
||||
echo "Database not reachable after '${MAX}' attempts!"
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
test_db_connection
|
||||
{{- end }}
|
||||
|
||||
echo '==== BEGIN GITEA CONFIGURATION ===='
|
||||
|
||||
gitea migrate
|
||||
{ # try
|
||||
gitea migrate
|
||||
} || { # catch
|
||||
echo "Gitea migrate might fail due to database connection...This init-container will try again in a few seconds"
|
||||
exit 1
|
||||
}
|
||||
|
||||
|
||||
{{- if or .Values.gitea.admin.existingSecret (and .Values.gitea.admin.username .Values.gitea.admin.password) }}
|
||||
function configure_admin_user() {
|
||||
|
@ -26,6 +26,13 @@ spec:
|
||||
externalIPs:
|
||||
{{- toYaml .Values.service.ssh.externalIPs | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.service.ssh.ipFamilyPolicy }}
|
||||
ipFamilyPolicy: {{ .Values.service.ssh.ipFamilyPolicy }}
|
||||
{{- end }}
|
||||
{{- with .Values.service.ssh.ipFamilies }}
|
||||
ipFamilies:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end -}}
|
||||
{{- if .Values.service.ssh.externalTrafficPolicy }}
|
||||
externalTrafficPolicy: {{ .Values.service.ssh.externalTrafficPolicy }}
|
||||
{{- end }}
|
||||
|
@ -2,6 +2,10 @@ apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: {{ include "gitea.fullname" . }}
|
||||
annotations:
|
||||
{{- if .Values.statefulset.annotations }}
|
||||
{{- toYaml .Values.statefulset.annotations | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "gitea.labels" . | nindent 4 }}
|
||||
spec:
|
||||
@ -44,6 +48,7 @@ spec:
|
||||
initContainers:
|
||||
- name: init-directories
|
||||
image: "{{ include "gitea.image" . }}"
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
command: ["/usr/sbin/init_directory_structure.sh"]
|
||||
env:
|
||||
- name: GITEA_APP_INI
|
||||
@ -74,6 +79,7 @@ spec:
|
||||
{{- toYaml .Values.containerSecurityContext | nindent 12 }}
|
||||
- name: init-app-ini
|
||||
image: "{{ include "gitea.image" . }}"
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
command: ["/usr/sbin/config_environment.sh"]
|
||||
env:
|
||||
- name: GITEA_APP_INI
|
||||
@ -87,6 +93,9 @@ spec:
|
||||
{{- if .Values.statefulset.env }}
|
||||
{{- toYaml .Values.statefulset.env | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.gitea.additionalConfigFromEnvs }}
|
||||
{{- toYaml .Values.gitea.additionalConfigFromEnvs | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /usr/sbin
|
||||
@ -111,6 +120,7 @@ spec:
|
||||
- name: configure-gitea
|
||||
image: "{{ include "gitea.image" . }}"
|
||||
command: ["/usr/sbin/configure_gitea.sh"]
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
securityContext:
|
||||
{{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
|
||||
{{- $csc := deepCopy .Values.containerSecurityContext -}}
|
||||
@ -228,6 +238,9 @@ spec:
|
||||
ports:
|
||||
- name: ssh
|
||||
containerPort: {{ .Values.gitea.config.server.SSH_LISTEN_PORT }}
|
||||
{{- if .Values.service.ssh.hostPort }}
|
||||
hostPort: {{ .Values.service.ssh.hostPort }}
|
||||
{{- end }}
|
||||
- name: http
|
||||
containerPort: {{ .Values.gitea.config.server.HTTP_PORT }}
|
||||
{{- if .Values.gitea.config.server.ENABLE_PPROF }}
|
||||
|
11
values.yaml
11
values.yaml
@ -8,7 +8,8 @@ clusterDomain: cluster.local
|
||||
|
||||
image:
|
||||
repository: gitea/gitea
|
||||
tag: 1.15.8
|
||||
# Overrides the image tag whose default is the chart appVersion.
|
||||
tag: ""
|
||||
pullPolicy: Always
|
||||
rootless: false # only possible when running 1.14 or later
|
||||
|
||||
@ -50,6 +51,8 @@ service:
|
||||
#nodePort:
|
||||
#externalTrafficPolicy:
|
||||
#externalIPs:
|
||||
#ipFamilyPolicy:
|
||||
#ipFamilies:
|
||||
loadBalancerSourceRanges: []
|
||||
annotations:
|
||||
ssh:
|
||||
@ -60,6 +63,9 @@ service:
|
||||
#nodePort:
|
||||
#externalTrafficPolicy:
|
||||
#externalIPs:
|
||||
#ipFamilyPolicy:
|
||||
#ipFamilies:
|
||||
#hostPort:
|
||||
loadBalancerSourceRanges: []
|
||||
annotations:
|
||||
|
||||
@ -111,6 +117,7 @@ statefulset:
|
||||
# value: my-value
|
||||
terminationGracePeriodSeconds: 60
|
||||
labels: {}
|
||||
annotations: {}
|
||||
|
||||
persistence:
|
||||
enabled: true
|
||||
@ -211,6 +218,8 @@ gitea:
|
||||
# - configMap:
|
||||
# name: gitea-app-ini-plaintext
|
||||
|
||||
additionalConfigFromEnvs: []
|
||||
|
||||
podAnnotations: {}
|
||||
|
||||
# Modify the liveness probe for your needs or completely disable it by commenting out.
|
||||
|
Reference in New Issue
Block a user