README.md

@@ -756,13 +756,10 @@ Metrics endpoint `/metrics` can be secured by using `Bearer` token authenticatio
 ```yaml
 gitea:
   metrics:
+    token: "secure-token"
     enabled: true
     serviceMonitor:
       enabled: true
-
-  config:
-    metrics:
-      TOKEN: "secure-token"
 ```
 
 ## Pod annotations
@@ -1036,6 +1033,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 | `gitea.admin.email`                          | Email for the Gitea admin user                                                                                                 | `gitea@local.domain` |
 | `gitea.admin.passwordMode`                   | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated  | `keepUpdated`        |
 | `gitea.metrics.enabled`                      | Enable Gitea metrics                                                                                                           | `false`              |
+| `gitea.metrics.token`                        | used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public.              | `nil`                |
 | `gitea.metrics.serviceMonitor.enabled`       | Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. | `false`              |
 | `gitea.metrics.serviceMonitor.interval`      | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.                      | `""`                 |
 | `gitea.metrics.serviceMonitor.relabelings`   | RelabelConfigs to apply to samples before scraping.                                                                            | `[]`                 |

templates/_helpers.tpl

@@ -278,6 +278,9 @@ https
   {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}}
     {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
   {{- end -}}
+  {{- if not (hasKey .Values.gitea.config.metrics "TOKEN") -}}
+    {{- $_ := set .Values.gitea.config.metrics "TOKEN" .Values.gitea.metrics.token -}}
+  {{- end -}}
   {{- /* redis queue */ -}}
   {{- if or ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}}
     {{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}}

templates/gitea/metrics-secret.yaml

@@ -1,4 +1,4 @@
-{{- if and (.Values.gitea.metrics.serviceMonitor.enabled) (.Values.gitea.config.metrics) (.Values.gitea.config.metrics.TOKEN) -}}
+{{- if and (.Values.gitea.metrics.enabled) (.Values.gitea.metrics.serviceMonitor.enabled) (.Values.gitea.metrics.token) -}}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -8,5 +8,5 @@ metadata:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 data:
-  token: {{ .Values.gitea.config.metrics.TOKEN  | b64enc }}
+  token: {{ .Values.gitea.metrics.token  | b64enc }}
 {{- end }}

templates/gitea/servicemonitor.yaml

@@ -32,7 +32,7 @@ spec:
     tlsConfig:
       {{- . | toYaml | nindent 6 }}
     {{- end }}
-    {{- if and (.Values.gitea.config.metrics) (.Values.gitea.config.metrics.TOKEN) }}
+    {{- if .Values.gitea.metrics.token }}
     authorization:
       type: Bearer
       credentials:

unittests/config/metrics-section_metrics-token.yaml

@@ -0,0 +1,19 @@
+suite: config template | metrics section (metrics token)
+release:
+  name: gitea-unittests
+  namespace: testing
+tests:
+  - it: metrics token is set
+    template: templates/gitea/config.yaml
+    set:
+      gitea:
+        metrics:
+          enabled: true
+          token: "somepassword"
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.metrics
+          value: |-
+            ENABLED=true
+            TOKEN=somepassword

unittests/metric-secret/metrics-secret-servicemonitor-disabled.yaml

@@ -5,19 +5,19 @@ release:
 templates:
   - templates/gitea/metrics-secret.yaml
 tests:
-  - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.config.metrics.TOKEN empty
+  - it: renders nothing if monitoring disabled and gitea.metrics.token empty
     set:
       gitea.metrics.enabled: false
       gitea.metrics.serviceMonitor.enabled: false
-      gitea.config.metrics.TOKEN: ""
+      gitea.metrics.token: ""
     asserts:
       - hasDocuments:
           count: 0
-  - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.config.metrics.TOKEN not empty
+  - it: renders nothing if monitoring disabled and gitea.metrics.token not empty
     set:
       gitea.metrics.enabled: false
       gitea.metrics.serviceMonitor.enabled: false
-      gitea.config.metrics.TOKEN: "test-token"
+      gitea.metrics.token: "test-token"
     asserts:
       - hasDocuments:
           count: 0

unittests/metric-secret/metrics-secret-servicemonitor-enabled.yaml

@@ -5,19 +5,19 @@ release:
 templates:
   - templates/gitea/metrics-secret.yaml
 tests:
-  - it: renders nothing if gitea.metrics.serviceMonitor enabled and gitea.config.metrics.TOKEN empty
+  - it: renders nothing if monitoring enabled and gitea.metrics.token empty
     set:
       gitea.metrics.enabled: true
       gitea.metrics.serviceMonitor.enabled: true
-      gitea.config.metrics.TOKEN: ""
+      gitea.metrics.token: ""
     asserts:
       - hasDocuments:
           count: 0
-  - it: renders Secret if gitea.metrics.serviceMonitor enabled and gitea.config.metrics.TOKEN not empty
+  - it: renders Secret if monitoring enabled and gitea.metrics.token not empty
     set:
       gitea.metrics.enabled: true
       gitea.metrics.serviceMonitor.enabled: true
-      gitea.config.metrics.TOKEN: "test-token"
+      gitea.metrics.token: "test-token"
     asserts:
       - hasDocuments:
           count: 1

unittests/servicemonitor/servicemonitor-disabled.yaml

@@ -5,19 +5,19 @@ release:
 templates:
   - templates/gitea/servicemonitor.yaml
 tests:
-  - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.config.metrics.TOKEN empty
+  - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.metrics.token empty
     set:
       gitea.metrics.enabled: false
+      gitea.metrics.token: ""
       gitea.metrics.serviceMonitor.enabled: false
-      gitea.config.metrics.TOKEN: ""
     asserts:
       - hasDocuments:
           count: 0
-  - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.config.metrics.TOKEN not empty
+  - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.metrics.token not empty
     set:
       gitea.metrics.enabled: false
+      gitea.metrics.token: "test-token"
       gitea.metrics.serviceMonitor.enabled: false
-      gitea.config.metrics.TOKEN: "test-token"
     asserts:
       - hasDocuments:
           count: 0

unittests/servicemonitor/servicemonitor-enabled.yaml

@@ -5,11 +5,11 @@ release:
 templates:
   - templates/gitea/servicemonitor.yaml
 tests:
-  - it: renders unsecure ServiceMonitor if gitea.config.metrics.TOKEN empty
+  - it: renders unsecure ServiceMonitor if gitea.metrics.token nil
     set:
       gitea.metrics.enabled: true
+      gitea.metrics.token:
       gitea.metrics.serviceMonitor.enabled: true
-      gitea.config.metrics.TOKEN: ""
     asserts:
       - hasDocuments:
           count: 1
@@ -24,11 +24,30 @@ tests:
           path: spec.endpoints
           value:
             - port: http
-  - it: renders secure ServiceMonitor if gitea.config.metrics.TOKEN not empty
+  - it: renders unsecure ServiceMonitor if gitea.metrics.token empty
     set:
       gitea.metrics.enabled: true
+      gitea.metrics.token: ""
+      gitea.metrics.serviceMonitor.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - documentIndex: 0
+        containsDocument:
+          kind: ServiceMonitor
+          apiVersion: monitoring.coreos.com/v1
+          name: gitea-unittests
+      - isNotNullOrEmpty:
+          path: metadata.labels
+      - equal:
+          path: spec.endpoints
+          value:
+            - port: http
+  - it: renders secure ServiceMonitor if gitea.metrics.token not empty
+    set:
+      gitea.metrics.enabled: true
+      gitea.metrics.token: "test-token"
       gitea.metrics.serviceMonitor.enabled: true
-      gitea.config.metrics.TOKEN: "test-token"
     asserts:
       - hasDocuments:
           count: 1

values.yaml

@@ -365,6 +365,7 @@ gitea:
     passwordMode: keepUpdated
 
   ## @param gitea.metrics.enabled Enable Gitea metrics
+  ## @param gitea.metrics.token used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public.
   ## @param gitea.metrics.serviceMonitor.enabled Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally.
   ## @param gitea.metrics.serviceMonitor.interval Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.
   ## @param gitea.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping.
@@ -373,6 +374,7 @@ gitea:
   ## @param gitea.metrics.serviceMonitor.tlsConfig TLS configuration to use when scraping the metric endpoint by Prometheus.
   metrics:
     enabled: false
+    token:
     serviceMonitor:
       enabled: false
       #  additionalLabels: