DevFW-CICD/forgejo-helm
16
0
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge remote-tracking branch 'origin/main' into feat/e2e

Browse source
This commit is contained in:
Michael Kriese 2023-12-06 12:26:28 +01:00
commit 29d1d112d7
No known key found for this signature in database
GPG key ID: B83F553A0724D44E
50 changed files with 2630 additions and 3287 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
.editorconfig Normal file
View file

@ -0,0 +1,12 @@
# EditorConfig is awesome: https://EditorConfig.org
# top-most EditorConfig file
root = true
[*]
indent_style = space
indent_size = 2
end_of_line = lf
charset = utf-8
trim_trailing_whitespace = false
insert_final_newline = false

7
.markdownlint.yaml
View file

@ -47,7 +47,7 @@ MD013:
# Number of characters # Number of characters
line_length: 200 line_length: 200
# Number of characters for headings # Number of characters for headings
heading_line_length: 80 heading_line_length: 100
# Number of characters for code blocks # Number of characters for code blocks
code_block_line_length: 80 code_block_line_length: 80
# Include code blocks # Include code blocks
@ -106,7 +106,7 @@ MD030:
# MD033/no-inline-html - Inline HTML # MD033/no-inline-html - Inline HTML
MD033: MD033:
# Allowed elements # Allowed elements
allowed_elements: [] allowed_elements: [details, summary]
# MD035/hr-style - Horizontal rule style # MD035/hr-style - Horizontal rule style
MD035: MD035:
@ -131,12 +131,11 @@ MD044:
names: names:
- Gitea - Gitea
- PostgreSQL - PostgreSQL
- MariaDB
- MySQL
- Memcached - Memcached
- Prometheus - Prometheus
- Git - Git
- GitOps - GitOps
- Forgejo
# Include code blocks # Include code blocks
code_blocks: false code_blocks: false

1
.markdownlintignore
View file

@ -2,3 +2,4 @@
node_modules/ node_modules/
charts/ charts/
.helmignore .helmignore
Chart.lock

1
.prettierignore Normal file
View file

@ -0,0 +1 @@
Chart.lock

4
.prettierrc.json Normal file
View file

@ -0,0 +1,4 @@
{
"singleQuote": true,
"trailingComma": "all"
}

8
.vscode/extensions.json vendored Normal file
View file

@ -0,0 +1,8 @@
{
"recommendations": [
"yzhang.markdown-all-in-one",
"DavidAnson.vscode-markdownlint",
"Tim-Koehler.helm-intellisense",
"esbenp.prettier-vscode"
]
}

8
.vscode/settings.json vendored Normal file
View file

@ -0,0 +1,8 @@
{
"yaml.schemas": {
"https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.3.6/schema/helm-testsuite.json": [
"/unittests/**/*.yaml"
]
},
"yaml.schemaStore.enable": true
}

30
.woodpecker/lint.yml
View file

@ -11,40 +11,46 @@ when:
pipeline: pipeline:
deps: deps:
image: alpine:3.17.2 image: alpine:3.18.5
pull: true pull: true
commands: commands:
- apk add --no-cache helm - apk add helm
- helm repo add bitnami https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami
- helm dependency build - helm dependency build
helm-lint: helm-lint:
image: alpine:3.17.2 image: alpine:3.18.5
pull: true pull: true
commands: commands:
- apk add --no-cache helm - apk add helm
- helm lint - helm lint
helm-template: helm-template:
image: alpine:3.17.2 image: alpine:3.18.5
pull: true pull: true
commands: commands:
- apk add --no-cache helm - apk add helm
- helm template --debug gitea-helm . - helm template --debug gitea-helm .
helm-unittests: helm-unittests:
image: alpine:3.17.2 image: alpine:3.18.5
pull: true pull: true
commands: commands:
- apk add --no-cache make helm git bash - apk add make helm git bash
- helm plugin install https://github.com/helm-unittest/helm-unittest - helm plugin install --version v0.3.6 https://github.com/helm-unittest/helm-unittest
- helm dependency update - helm dependency update
- make unittests - make unittests
verify-readme: verify-readme:
image: alpine:3.17.2 image: alpine:3.18.5
pull: true pull: true
commands: commands:
- apk add --no-cache make nodejs npm git - apk add make nodejs npm git
- make readme - make readme
- git diff --exit-code --name-only README.md - git diff --exit-code --name-only README.md
yaml-lint:
image: alpine:3.18.5
pull: true
commands:
- apk add yamllint
- yamllint -f colored .

12
.woodpecker/release-version.yml
View file

@ -10,11 +10,10 @@ when:
pipeline: pipeline:
generate-chart: generate-chart:
image: alpine:3.17.2 image: alpine:3.18.5
pull: true pull: true
commands: commands:
- apk add --no-cache git nodejs npm helm - apk add git nodejs npm helm
- helm repo add bitnami https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami
- helm dependency build - helm dependency build
- rm -rf tmp/ - rm -rf tmp/
- helm package --version "${CI_COMMIT_TAG##v}" -d tmp/ ./ - helm package --version "${CI_COMMIT_TAG##v}" -d tmp/ ./
@ -24,7 +23,7 @@ pipeline:
- token - token
publish-release: publish-release:
image: woodpeckerci/plugin-gitea-release:0.2.0 image: codeberg.org/woodpecker-plugins/gitea-release:0.3.1
pull: true pull: true
settings: settings:
base_url: https://codeberg.org base_url: https://codeberg.org
@ -34,12 +33,13 @@ pipeline:
title: ${CI_COMMIT_TAG##v} title: ${CI_COMMIT_TAG##v}
file_exists: fail file_exists: fail
note: tmp/changelog.md note: tmp/changelog.md
target: main
publish-chart: publish-chart:
image: alpine:3.17.2 image: alpine:3.18.5
pull: true pull: true
commands: commands:
- apk add --no-cache helm - apk add helm
- echo $${TOKEN} | helm registry login -u viceice --password-stdin codeberg.org/forgejo-contrib - echo $${TOKEN} | helm registry login -u viceice --password-stdin codeberg.org/forgejo-contrib
- helm push tmp/forgejo-${CI_COMMIT_TAG##v}.tgz oci://codeberg.org/forgejo-contrib - helm push tmp/forgejo-${CI_COMMIT_TAG##v}.tgz oci://codeberg.org/forgejo-contrib
secrets: secrets:

20
.yamllint Normal file
View file

@ -0,0 +1,20 @@
---
extends: default
ignore: |
.yamllint
node_modules
templates
rules:
truthy:
allowed-values: ['true', 'false']
check-keys: False
level: error
line-length: disable
document-start: disable
comments:
min-spaces-from-content: 1
braces:
max-spaces-inside: 2

45
CONTRIBUTING.md
View file

@ -9,20 +9,16 @@ refactorings for easier maintainability or documentation improvements.
- [`helm`](https://helm.sh/docs/intro/install/) - [`helm`](https://helm.sh/docs/intro/install/)
- `make` is optional; you may call the commands directly - `make` is optional; you may call the commands directly
When using Visual Studio Code as IDE, following plugins might be useful: When using Visual Studio Code as IDE, a [ready-to-use profile](.vscode/) is available.
- [Markdown All in One](https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one)
- [markdownlint](https://marketplace.visualstudio.com/items?itemName=DavidAnson.vscode-markdownlint)
- [Helm Intellisense](https://marketplace.visualstudio.com/items?itemName=Tim-Koehler.helm-intellisense)
## Documentation Requirements ## Documentation Requirements
The `README.md` must include all configuration options. The parameters section The `README.md` must include all configuration options.
is generated by extracting the parameter annotations from the `values.yaml` file, The parameters section is generated by extracting the parameter annotations from the `values.yaml` file, by using [this tool](https://github.com/bitnami-labs/readme-generator-for-helm).
by using [this tool](https://github.com/bitnami-labs/readme-generator-for-helm).
If changes were made on configuration options, run `make readme` to update the If changes were made on configuration options, run `make readme` to update the README file.
README file.
The ToC is created via the VSCode [Markdown All in One](https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one) extension which can/must also be used used to update it.
## Pull Request Requirements ## Pull Request Requirements
@ -40,23 +36,30 @@ For local development and testing of pull requests, the following workflow can
be used: be used:
1. Install `minikube` and `helm`. 1. Install `minikube` and `helm`.
2. Start a `minikube` cluster via `minikube start`. 1. Start a `minikube` cluster via `minikube start`.
3. From the `gitea/helm-chart` directory execute the following command. This 1. From the `forgejo-contrib/forgejo-helm` directory execute the following command.
will install the dependencies listed in `Chart.yml` and deploy the current This will install the dependencies listed in `Chart.yml` and deploy the current state of the helm chart found locally.
state of the helm chart found locally. If you want to test a branch, make If you want to test a branch, make sure to switch to the respective branch first.
sure to switch to the respective branch first. `helm install --dependency-update forgejo . -f values.yaml`.
`helm install --dependency-update gitea . -f values.yaml`. 1. Forgejo is now deployed in `minikube`.
4. Gitea is now deployed in `minikube`. To access it, it's port needs to be To access it, it's port needs to be forwarded first from `minikube` to localhost first via `kubectl --namespace
forwarded first from `minikube` to localhost first via `kubectl --namespace default port-forward svc/gitea-http 3000:3000`.
default port-forward svc/gitea-http 3000:3000`. Now Gitea is accessible at Now Forgejo is accessible at [http://localhost:3000](http://localhost:3000).
[http://localhost:3000](http://localhost:3000).
### Unit tests ### Unit tests
```bash ```bash
# install the unittest plugin # install the unittest plugin
$ helm plugin install https://github.com/heyhabito/helm-unittest $ helm plugin install https://github.com/helm-unittest/helm-unittest
# run the unittests # run the unittests
make unittests make unittests
``` ```
See [plugin documentation](https://github.com/helm-unittest/helm-unittest/blob/main/DOCUMENT.md) for usage instructions.
## Release process
1. Create a tag following the tagging schema
1. Push the tag
1. Let CI do it's work

19
Chart.lock
View file

@ -1,15 +1,12 @@
dependencies: dependencies:
- name: memcached
repository: oci://registry-1.docker.io/bitnamicharts
version: 6.3.13
- name: mysql
repository: oci://registry-1.docker.io/bitnamicharts
version: 9.6.0
- name: postgresql - name: postgresql
repository: oci://registry-1.docker.io/bitnamicharts repository: oci://registry-1.docker.io/bitnamicharts
version: 12.2.5 version: 13.2.24
- name: mariadb - name: postgresql-ha
repository: oci://registry-1.docker.io/bitnamicharts repository: oci://registry-1.docker.io/bitnamicharts
version: 11.5.4 version: 12.3.1
digest: sha256:76e850e9265acafac2177dc61323bc36be6291e829204436899c2fd32974869f - name: redis-cluster
generated: "2023-03-21T11:22:08.663556017Z" repository: oci://registry-1.docker.io/bitnamicharts
version: 9.1.3
digest: sha256:f8a15775e3245385109ae0d7a7374163e8e718fd6b38ef3f17dbe142dd600aea
generated: "2023-12-06T11:40:02.8712781+01:00"

28
Chart.yaml
View file

@ -3,7 +3,7 @@ name: forgejo
description: Forgejo Helm chart for Kubernetes description: Forgejo Helm chart for Kubernetes
type: application type: application
version: 0.0.0 version: 0.0.0
appVersion: 1.19.0-2 appVersion: 1.21.1-0
icon: https://design.codeberg.org/logo-kit/icon.svg icon: https://design.codeberg.org/logo-kit/icon.svg
home: https://forgejo.org/ home: https://forgejo.org/
@ -25,21 +25,19 @@ maintainers:
# Bitnami charts are served from Docker Hub # Bitnami charts are served from Docker Hub
# https://hub.docker.com/u/bitnamicharts # https://hub.docker.com/u/bitnamicharts
# https://blog.bitnami.com/2023/01/bitnami-helm-charts-available-as-oci.html # https://blog.bitnami.com/2023/01/bitnami-helm-charts-available-as-oci.html
dependencies: dependencies:
- name: memcached # https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml
- name: postgresql
repository: oci://registry-1.docker.io/bitnamicharts repository: oci://registry-1.docker.io/bitnamicharts
version: 6.3.13 version: 13.2.24
condition: memcached.enabled
- name: mysql
repository: oci://registry-1.docker.io/bitnamicharts
version: 9.6.0
condition: mysql.enabled
- name: postgresql
repository: oci://registry-1.docker.io/bitnamicharts
version: 12.2.5
condition: postgresql.enabled condition: postgresql.enabled
- name: mariadb # https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml
- name: postgresql-ha
repository: oci://registry-1.docker.io/bitnamicharts repository: oci://registry-1.docker.io/bitnamicharts
version: 11.5.4 version: 12.3.1
condition: mariadb.enabled condition: postgresql-ha.enabled
# https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml
- name: redis-cluster
repository: oci://registry-1.docker.io/bitnamicharts
version: 9.1.3
condition: redis-cluster.enabled

7
Makefile
View file

@ -9,4 +9,9 @@ readme: prepare-environment
.PHONY: unittests .PHONY: unittests
unittests: unittests:
helm unittest --strict -f 'unittests/**/*.yaml' ./ helm unittest --strict -f 'unittests/**/*.yaml' -f 'unittests/dependency-major-image-check.yaml' ./
.PHONY: helm
update-helm-dependencies:
helm dependency update

673
README.md
View file

@ -1,26 +1,90 @@
# Forgejo Helm Chart # Forgejo Helm Chart <!-- omit from toc -->
[Forgejo](https://forgejo.org/) is a community managed lightweight code hosting [![status-badge](https://ci.dachary.org/api/badges/forgejo-contrib/forgejo-helm/status.svg)](https://ci.dachary.org/forgejo-contrib/forgejo-helm)
solution written in Go. It is published under the MIT license.
- [Introduction](#introduction)
- [Update and versioning policy](#update-and-versioning-policy)
- [Dependencies](#dependencies)
- [Installing](#installing)
- [High Availability](#high-availability)
- [Configuration](#configuration)
- [Default Configuration](#default-configuration)
- [Database defaults](#database-defaults)
- [Server defaults](#server-defaults)
- [Metrics defaults](#metrics-defaults)
- [Rootless Defaults](#rootless-defaults)
- [Single-Pod Configurations](#single-pod-configurations)
- [Additional _app.ini_ settings](#additional-appini-settings)
- [User defined environment variables in app.ini](#user-defined-environment-variables-in-appini)
- [External Database](#external-database)
- [Ports and external url](#ports-and-external-url)
- [ClusterIP](#clusterip)
- [SSH and Ingress](#ssh-and-ingress)
- [SSH on crio based kubernetes cluster](#ssh-on-crio-based-kubernetes-cluster)
- [Cache](#cache)
- [Persistence](#persistence)
- [Admin User](#admin-user)
- [LDAP Settings](#ldap-settings)
- [OAuth2 Settings](#oauth2-settings)
- [Configure commit signing](#configure-commit-signing)
- [Metrics and profiling](#metrics-and-profiling)
- [Pod annotations](#pod-annotations)
- [Themes](#themes)
- [Renovate](#renovate)
- [Parameters](#parameters)
- [Global](#global)
- [strategy](#strategy)
- [Image](#image)
- [Security](#security)
- [Service](#service)
- [Ingress](#ingress)
- [deployment](#deployment)
- [ServiceAccount](#serviceaccount)
- [Persistence](#persistence-1)
- [Init](#init)
- [Signing](#signing)
- [Gitea](#gitea)
- [LivenessProbe](#livenessprobe)
- [ReadinessProbe](#readinessprobe)
- [StartupProbe](#startupprobe)
- [redis-cluster](#redis-cluster)
- [PostgreSQL-ha](#postgresql-ha)
- [PostgreSQL](#postgresql)
- [Advanced](#advanced)
- [Contributing](#contributing)
- [Upgrading](#upgrading)
[Forgejo](https://forgejo.org/) is a community managed lightweight code hosting solution written in Go.
It is published under the MIT license.
## Introduction ## Introduction
This helm chart is based on official [Gitea helm chart](https://gitea.com/gitea/helm-chart). This helm chart is based on official [Gitea helm chart](https://gitea.com/gitea/helm-chart).
Additionally, this chart provides LDAP and admin user configuration with values, Yet it takes a completely different approach in providing a database and cache with dependencies.
as well as being deployed as a statefulset to retain stored repositories. Additionally, this chart allows to provide LDAP and admin user configuration with values.
## Update and versioning policy
The Forgejo helm chart versioning does not follow Forgejo's versioning.
The latest chart version can be looked up in <https://codeberg.org/forgejo-contrib/-/packages/container/forgejo/0.8.0> or in the [repository releases](https://codeberg.org/forgejo-contrib/forgejo-helm/releases).
The chart aims to follow Forgejo's releases closely.
There might be times when the chart is behind the latest Forgejo release.
This might be caused by different reasons, most often due to time constraints of the maintainers (remember, all work here is done voluntarily in the spare time of people).
If you're eager to use the latest Forgejo version earlier than this chart catches up, then change the tag in `values.yaml` to the latest Forgejo version.
This is due to Forgejo not strictly following [semantic versioning](https://semver.org/#summary) as breaking changes do not increase the major version.
I.e., "minor" version bumps are considered "major".
Yet most often no issues will be encountered and the chart maintainers aim to communicate early/upfront if this would be the case.
## Dependencies ## Dependencies
Forgejo can be run with an external database and cache. This chart provides those Forgejo can be run with an external database and cache.
dependencies, which can be enabled, or disabled via This chart provides those dependencies, which can be enabled, or disabled via configuration.
configuration.
Dependencies: Dependencies:
- PostgreSQL ([configuration](#postgresql)) - PostgreSQL HA ([configuration](#postgresql))
- Memcached ([configuration](#memcached)) - Redis Cluster ([configuration](#cache))
- MySQL ([configuration](#mysql))
- MariaDB ([configuration](#mariadb))
## Installing ## Installing
@ -34,21 +98,20 @@ In case you want to supply values, you can reference a `values.yaml` file:
helm install forgejo -f values.yaml oci://codeberg.org/forgejo-contrib/forgejo helm install forgejo -f values.yaml oci://codeberg.org/forgejo-contrib/forgejo
``` ```
When upgrading, please refer to the [Upgrading](#upgrading) section at the bottom When upgrading, please refer to the [Upgrading](#upgrading) section at the bottom of this document for major and breaking changes.
of this document for major and breaking changes.
## Prerequisites ## High Availability
- Kubernetes 1.12+ This chart supports running Forgejo and it's dependencies in HA mode.
- Helm 3.0+ Care must be taken for production use as not all implementation details of Forgejo core are officially HA-ready yet.
- PV provisioner for persistent data support
## Examples Deploying a HA-ready Forgejo instance requires some effort including using HA-ready dependencies.
See the [HA Setup](docs/ha-setup.md) document for more details.
### Forgejo Configuration ## Configuration
Forgejo offers lots of configuration options. This is fully described in the Forgejo offers lots of configuration options.
[Gitea Cheat Sheet](https://docs.gitea.io/en-us/config-cheat-sheet/). This is fully described in the [Gitea Cheat Sheet](https://docs.gitea.com/administration/config-cheat-sheet).
```yaml ```yaml
gitea: gitea:
@ -62,18 +125,17 @@ gitea:
### Default Configuration ### Default Configuration
This chart will set a few defaults in the Forgejo configuration based on the This chart will set a few defaults in the Forgejo configuration based on the service and ingress settings.
service and ingress settings. All defaults can be overwritten in `gitea.config`. All defaults can be overwritten in `gitea.config`.
INSTALL_LOCK is always set to true, since we want to configure Forgejo with this INSTALL_LOCK is always set to true, since we want to configure Forgejo with this helm chart and everything is taken care of.
helm chart and everything is taken care of.
_All default settings are made directly in the generated app.ini, not in the Values._ _All default settings are made directly in the generated `app.ini`, not in the Values._
#### Database defaults #### Database defaults
If a builtIn database is enabled the database configuration is set If a builtIn database is enabled the database configuration is set automatically.
automatically. For example, PostgreSQL builtIn will appear in the app.ini as: For example, PostgreSQL builtIn will appear in the `app.ini` as:
```ini ```ini
[database] [database]
@ -84,23 +146,11 @@ PASSWD = gitea
USER = gitea USER = gitea
``` ```
#### Memcached defaults
Memcached is handled the exact same way as database builtIn. Once Memcached
builtIn is enabled, this chart will generate the following part in the `app.ini`:
```ini
[cache]
ADAPTER = memcache
ENABLED = true
HOST = RELEASE-NAME-memcached.default.svc.cluster.local:11211
```
#### Server defaults #### Server defaults
The server defaults are a bit more complex. If ingress is `enabled`, the The server defaults are a bit more complex.
`ROOT_URL`, `DOMAIN` and `SSH_DOMAIN` will be set accordingly. `HTTP_PORT` If ingress is `enabled`, the `ROOT_URL`, `DOMAIN` and `SSH_DOMAIN` will be set accordingly.
always defaults to `3000` as well as `SSH_PORT` to `22`. `HTTP_PORT` always defaults to `3000` as well as `SSH_PORT` to `22`.
```ini ```ini
[server] [server]
@ -124,19 +174,108 @@ The Prometheus `/metrics` endpoint is disabled by default.
ENABLED = false ENABLED = false
``` ```
#### Rootless Defaults
If `.Values.image.rootless: true`, then the following will occur. In case you use `.Values.image.fullOverride`, check that this works in your image:
- `$HOME` becomes `/data/gitea/git`
[see deployment.yaml](./templates/gitea/deployment.yaml) template inside (init-)container "env" declarations
- `START_SSH_SERVER: true` (Unless explicity overwritten by `gitea.config.server.START_SSH_SERVER`)
[see \_helpers.tpl](./templates/_helpers.tpl) in `gitea.inline_configuration.defaults.server` definition
- `SSH_LISTEN_PORT: 2222` (Unless explicity overwritten by `gitea.config.server.SSH_LISTEN_PORT`)
[see \_helpers.tpl](./templates/_helpers.tpl) in `gitea.inline_configuration.defaults.server` definition
- `SSH_LOG_LEVEL` environment variable is not injected into the container
[see deployment.yaml](./templates/gitea/deployment.yaml) template inside container "env" declarations
### Single-Pod Configurations
If HA is not needed/desired, the following configurations can be used to deploy a single-pod Forgejo instance.
1. For a production-ready single-pod Forgejo instance without external dependencies (using the chart dependency `postgresql`):
<details>
<summary>values.yml</summary>
```yaml
redis-cluster:
enabled: false
postgresql:
enabled: true
postgresql-ha:
enabled: false
persistence:
enabled: true
gitea:
config:
database:
DB_TYPE: postgres
session:
PROVIDER: db
cache:
ADAPTER: memory
queue:
TYPE: level
indexer:
ISSUE_INDEXER_TYPE: bleve
REPO_INDEXER_ENABLED: true
```
</details>
2. For a minimal DEV installation (using the built-in sqlite DB instead of Postgres):
This will result in a single-pod Forgejo instance _without any dependencies and persistence_.
**Do not use this configuration for production use**.
<details>
<summary>values.yml</summary>
```yaml
redis-cluster:
enabled: false
postgresql:
enabled: false
postgresql-ha:
enabled: false
persistence:
enabled: false
gitea:
config:
database:
DB_TYPE: sqlite3
session:
PROVIDER: memory
cache:
ADAPTER: memory
queue:
TYPE: level
```
</details>
### Additional _app.ini_ settings ### Additional _app.ini_ settings
> **The [generic](https://docs.gitea.io/en-us/config-cheat-sheet/#overall-default) > **The [generic](https://docs.gitea.com/administration/config-cheat-sheet#overall-default)
> section cannot be defined that way.** > section cannot be defined that way.**
Some settings inside _app.ini_ (like passwords or whole authentication configurations) Some settings inside _app.ini_ (like passwords or whole authentication configurations) must be considered sensitive and therefore should not be passed via plain text inside the _values.yaml_ file.
must be considered sensitive and therefore should not be passed via plain text In times of _GitOps_ the values.yaml could be stored in a Git repository where sensitive data should never be accessible.
inside the _values.yaml_ file. In times of _GitOps_ the values.yaml could be stored
in a Git repository where sensitive data should never be accessible.
The Helm Chart supports this approach and let the user define custom sources like The Helm Chart supports this approach and let the user define custom sources like
Kubernetes Secrets to be loaded as environment variables during _app.ini_ creation Kubernetes Secrets to be loaded as environment variables during _app.ini_ creation or update.
or update.
```yaml ```yaml
gitea: gitea:
@ -147,10 +286,8 @@ gitea:
name: gitea-app-ini-plaintext name: gitea-app-ini-plaintext
``` ```
This would mount the two additional volumes (`oauth` and `some-additionals`) This would mount the two additional volumes (`oauth` and `some-additionals`) from different sources to the init container where the _app.ini_ gets updated.
from different sources to the init containerwhere the _app.ini_ gets updated. All files mounted that way will be read and converted to environment variables and then added to the _app.ini_ using [environment-to-ini](https://github.com/go-gitea/gitea/tree/main/contrib/environment-to-ini).
All files mounted that way will be read and converted to environment variables
and then added to the _app.ini_ using [environment-to-ini](https://github.com/go-gitea/gitea/tree/main/contrib/environment-to-ini).
The key of such additional source represents the section inside the _app.ini_. The key of such additional source represents the section inside the _app.ini_.
The value for each key can be multiline ini-like definitions. The value for each key can be multiline ini-like definitions.
@ -187,26 +324,22 @@ stringData:
#### User defined environment variables in app.ini #### User defined environment variables in app.ini
Users are able to define their own environment variables, Users are able to define their own environment variables, which are loaded into the containers.
which are loaded into the containers. We also support to We also support to directly interact with the generated _app.ini_.
directly interact with the generated _app.ini_.
To inject self defined variables into the _app.ini_ a To inject self defined variables into the _app.ini_ a certain format needs to be honored.
certain format needs to be honored. This is This is described in detail on the [env-to-ini](https://github.com/go-gitea/gitea/tree/main/contrib/environment-to-ini) page.
described in detail on the [env-to-ini](https://github.com/go-gitea/gitea/tree/main/contrib/environment-to-ini)
page.
Note that the Prefix on this helm chart is `ENV_TO_INI`. Environment variables need to be prefixed with `FORGEJO`.
For example a database setting needs to have the following For example a database setting needs to have the following format:
format:
```yaml ```yaml
gitea: gitea:
additionalConfigFromEnvs: additionalConfigFromEnvs:
- name: ENV_TO_INI__DATABASE__HOST - name: FORGEJO__DATABASE__HOST
value: my.own.host value: my.own.host
- name: ENV_TO_INI__DATABASE__PASSWD - name: FORGEJO__DATABASE__PASSWD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: postgres-secret name: postgres-secret
@ -215,20 +348,24 @@ gitea:
Priority (highest to lowest) for defining app.ini variables: Priority (highest to lowest) for defining app.ini variables:
1. Environment variables prefixed with `ENV_TO_INI` 1. Environment variables prefixed with `FORGEJO`
2. Additional config sources
3. Values defined in `gitea.config` 1. Additional config sources
1. Values defined in `gitea.config`
### External Database ### External Database
An external Database can be used instead of builtIn PostgreSQL or MySQL. Any external database listed in [https://docs.gitea.com/installation/database-prep](https://docs.gitea.com/installation/database-prep) can be used instead of the built-in PostgreSQL.
In fact, it is **highly recommended** to use an external database to ensure a stable Forgejo installation longterm.
If an external database is used, no matter which type, make sure to set `postgresql.enabled` to `false` to disable the use of the built-in PostgreSQL.
```yaml ```yaml
gitea: gitea:
config: config:
database: database:
DB_TYPE: mysql DB_TYPE: mysql
HOST: 127.0.0.1:3306 HOST: <mysql HOST>
NAME: gitea NAME: gitea
USER: root USER: root
PASSWD: gitea PASSWD: gitea
@ -240,7 +377,8 @@ postgresql:
### Ports and external url ### Ports and external url
By default port `3000` is used for web traffic and `22` for ssh. Those can be changed: By default port `3000` is used for web traffic and `22` for ssh.
Those can be changed:
```yaml ```yaml
service: service:
@ -250,15 +388,14 @@ service:
port: 22 port: 22
``` ```
This helm chart automatically configures the clone urls to use the correct This helm chart automatically configures the clone urls to use the correct ports.
ports. You can change these ports by hand using the `gitea.config` dict. However You can change these ports by hand using the `gitea.config` dict.
you should know what you're doing. However you should know what you're doing.
### ClusterIP ### ClusterIP
By default the clusterIP will be set to None, which is the default for headless By default the `clusterIP` will be set to `None`, which is the default for headless services.
services. However if you want to omit the clusterIP field in the service, use However if you want to omit the clusterIP field in the service, use the following values:
the following values:
```yaml ```yaml
service: service:
@ -274,9 +411,8 @@ service:
### SSH and Ingress ### SSH and Ingress
If you're using ingress and want to use SSH, keep in mind, that ingress is not If you're using ingress and want to use SSH, keep in mind, that ingress is not able to forward SSH Ports.
able to forward SSH Ports. You will need a LoadBalancer like `metallb` and a You will need a LoadBalancer like `metallb` and a setting in your ssh service annotations.
setting in your ssh service annotations.
```yaml ```yaml
service: service:
@ -287,8 +423,8 @@ service:
### SSH on crio based kubernetes cluster ### SSH on crio based kubernetes cluster
If you use crio as container runtime it is not possible to read from a remote If you use `crio` as container runtime it is not possible to read from a remote repository.
repository. You should get an error message like this: You should get an error message like this:
```bash ```bash
$ git clone git@k8s-demo.internal:admin/test.git $ git clone git@k8s-demo.internal:admin/test.git
@ -305,37 +441,25 @@ More about this issue [here](https://gitea.com/gitea/helm-chart/issues/161).
### Cache ### Cache
This helm chart can use a built in cache. The default is Memcached from bitnami. The cache handling is done via `redis-cluster` (via the `bitnami` chart) by default.
This deployment is HA-ready but can also be used for single-pod deployments.
By default, 6 replicas are deployed for a working `redis-cluster` deployment.
Many cloud providers offer a managed redis service, which can be used instead of the built-in `redis-cluster`.
```yaml ```yaml
memcached: redis-cluster:
enabled: true enabled: true
``` ```
If the built in cache should not be used simply configure the cache in
`gitea.config`.
```yaml
gitea:
config:
cache:
ENABLED: true
ADAPTER: memory
INTERVAL: 60
HOST: 127.0.0.1:9090
```
### Persistence ### Persistence
Forgejo will be deployed as a statefulset. By simply enabling the persistence and Forgejo will be deployed as a deployment.
setting the storage class according to your cluster everything else will be By simply enabling the persistence and setting the storage class according to your cluster everything else will be taken care of.
taken care of. The following example will create a PVC as a part of the The following example will create a PVC as a part of the deployment.
statefulset. This PVC will not be deleted even if you uninstall the chart.
Please note, that an empty storageClass in the persistence will result in Please note, that an empty `storageClass` in the persistence will result in kubernetes using your default storage class.
kubernetes using your default storage class.
If you want to use your own storageClass define it as followed: If you want to use your own storage class define it as follows:
```yaml ```yaml
persistence: persistence:
@ -343,47 +467,33 @@ persistence:
storageClass: myOwnStorageClass storageClass: myOwnStorageClass
``` ```
When using PostgreSQL as dependency, this will also be deployed as a statefulset
by default.
If you want to manage your own PVC you can simply pass the PVC name to the chart. If you want to manage your own PVC you can simply pass the PVC name to the chart.
```yaml ```yaml
persistence: persistence:
enabled: true enabled: true
existingClaim: MyAwesomeGiteaClaim claimName: MyAwesomeGiteaClaim
``` ```
In case that peristence has been disabled it will simply use an empty dir volume. In case that persistence has been disabled it will simply use an empty dir volume.
PostgreSQL handles the persistence in the exact same way. PostgreSQL handles the persistence in the exact same way.
You can interact with the postgres settings as displayed in the following example: You can interact with the postgres settings as displayed in the following example:
```yaml ```yaml
postgresql: postgresql:
primary:
persistence: persistence:
enabled: true enabled: true
existingClaim: MyAwesomeGiteaPostgresClaim claimName: MyAwesomeGiteaPostgresClaim
```
MySQL also handles persistence the same, even though it is not deployed as a statefulset.
You can interact with the postgres settings as displayed in the following example:
```yaml
mysql:
primary:
persistence:
enabled: true
existingClaim: MyAwesomeGiteaMysqlClaim
``` ```
### Admin User ### Admin User
This chart enables you to create a default admin user. It is also possible to This chart enables you to create a default admin user.
update the password for this user by upgrading or redeloying the chart. It is It is also possible to update the password for this user by upgrading or redeploying the chart.
not possible to delete an admin user after it has been created. This has to be It is not possible to delete an admin user after it has been created.
done in the ui. You cannot use `admin` as username. This has to be done in the ui.
You cannot use `admin` as username.
```yaml ```yaml
gitea: gitea:
@ -415,7 +525,7 @@ gitea:
### LDAP Settings ### LDAP Settings
Like the admin user the LDAP settings can be updated. Like the admin user the LDAP settings can be updated.
All LDAP values from <https://docs.gitea.io/en-us/command-line/#admin> are available. All LDAP values from <https://docs.gitea.com/administration/command-line#admin> are available.
Multiple LDAP sources can be configured with additional LDAP list items. Multiple LDAP sources can be configured with additional LDAP list items.
@ -436,7 +546,7 @@ gitea:
publicSSHKeyAttribute: publicSSHKey publicSSHKeyAttribute: publicSSHKey
``` ```
You can also use an existing secret to set the bindDn and bindPassword: You can also use an existing secret to set the `bindDn` and `bindPassword`:
```yaml ```yaml
apiVersion: v1 apiVersion: v1
@ -455,9 +565,9 @@ gitea:
- existingSecret: gitea-ldap-secret - existingSecret: gitea-ldap-secret
``` ```
⚠️ Some options are just flags and therefore don't have any values. If they ⚠️ Some options are just flags and therefore don't have any values.
are defined in `gitea.ldap` configuration, they will be passed to the Gitea CLI If they are defined in `gitea.ldap` configuration, they will be passed to the Forgejo CLI without any value.
without any value. Affected options: Affected options:
- notActive - notActive
- skipTlsVerify - skipTlsVerify
@ -467,9 +577,9 @@ without any value. Affected options:
### OAuth2 Settings ### OAuth2 Settings
Like the admin user, OAuth2 settings can be updated and disabled but not Like the admin user, OAuth2 settings can be updated and disabled but not deleted.
deleted. Deleting OAuth2 settings has to be done in the ui. All OAuth2 values, Deleting OAuth2 settings has to be done in the ui.
which are documented [here](https://docs.gitea.io/en-us/command-line/#admin), are All OAuth2 values, which are documented [here](https://docs.gitea.com/administration/command-line#admin), are
available. available.
Multiple OAuth2 sources can be configured with additional OAuth list items. Multiple OAuth2 sources can be configured with additional OAuth list items.
@ -511,15 +621,12 @@ gitea:
## Configure commit signing ## Configure commit signing
When using the rootless image the gpg key folder is not persistent by When using the rootless image the gpg key folder is not persistent by default.
default. If you consider using signed commits for internal Gitea activities If you consider using signed commits for internal Forgejo activities (e.g. initial commit), you'd need to provide a signing key.
(e.g. initial commit), you'd need to provide a signing key. Prior to Prior to [PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be re-imported once the container got replaced by another.
[PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be
re-imported once the container got replaced by another.
The mentioned PR introduced a new configuration object `signing` allowing you to The mentioned PR introduced a new configuration object `signing` allowing you to configure prerequisites for commit signing.
configure prerequisites for commit signing. By default this section is disabled By default this section is disabled to maintain backwards compatibility.
to maintain backwards compatibility.
```yaml ```yaml
signing: signing:
@ -527,9 +634,8 @@ signing:
gpgHome: /data/git/.gnupg gpgHome: /data/git/.gnupg
``` ```
Regardless of the used container image the `signing` object allows to specify a Regardless of the used container image the `signing` object allows to specify a private gpg key.
private gpg key. Either using the `signing.privateKey` to define the key inline, Either using the `signing.privateKey` to define the key inline, or refer to an existing secret containing the key data by using `signing.existingSecret`.
or refer to an existing secret containing the key data by using `signing.existingKey`.
```yaml ```yaml
apiVersion: v1 apiVersion: v1
@ -549,19 +655,15 @@ signing:
existingSecret: custom-gitea-gpg-key existingSecret: custom-gitea-gpg-key
``` ```
To use the gpg key, Gitea needs to be configured accordingly. A detailed description To use the gpg key, Forgejo needs to be configured accordingly.
can be found in the [official Gitea documentation](https://docs.gitea.io/en-us/signing/#general-configuration). A detailed description can be found in the [official Gitea documentation](https://docs.gitea.com/administration/signing#general-configuration).
### Metrics and profiling ## Metrics and profiling
A Prometheus `/metrics` endpoint on the `HTTP_PORT` and `pprof` profiling A Prometheus `/metrics` endpoint on the `HTTP_PORT` and `pprof` profiling endpoints on port 6060 can be enabled under `gitea`.
endpoints on port 6060 can be enabled under `gitea`. Beware that the metrics Beware that the metrics endpoint is exposed via the ingress, manage access using ingress annotations for example.
endpoint is exposed via the ingress, manage access using ingress annotations for
example.
To deploy the `ServiceMonitor`, you first need to ensure that you have deployed To deploy the `ServiceMonitor`, you first need to ensure that you have deployed `prometheus-operator` and its [CRDs](https://github.com/prometheus-operator/prometheus-operator#customresourcedefinitions).
`prometheus-operator` and its
[CRDs](https://github.com/prometheus-operator/prometheus-operator#customresourcedefinitions).
```yaml ```yaml
gitea: gitea:
@ -575,7 +677,7 @@ gitea:
ENABLE_PPROF: true ENABLE_PPROF: true
``` ```
### Pod Annotations ## Pod annotations
Annotations can be added to the Forgejo pod. Annotations can be added to the Forgejo pod.
@ -584,28 +686,136 @@ gitea:
podAnnotations: {} podAnnotations: {}
``` ```
## Themes
Custom themes can be added via k8s secrets and referencing them in `values.yaml`.
The [http provider](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) is useful here.
```yaml
extraVolumes:
- name: gitea-themes
secret:
secretName: gitea-themes
extraVolumeMounts:
- name: gitea-themes
readOnly: true
mountPath: '/data/gitea/public/assets/css'
```
The secret can be created via `terraform`:
```hcl
resource "kubernetes_secret" "gitea-themes" {
metadata {
name = "gitea-themes"
namespace = "gitea"
}
data = {
"my-theme.css" = data.http.gitea-theme-light.body
"my-theme-dark.css" = data.http.gitea-theme-dark.body
"my-theme-auto.css" = data.http.gitea-theme-auto.body
}
type = "Opaque"
}
data "http" "gitea-theme-light" {
url = "<raw theme url>"
request_headers = {
Accept = "application/json"
}
}
data "http" "gitea-theme-dark" {
url = "<raw theme url>"
request_headers = {
Accept = "application/json"
}
}
data "http" "gitea-theme-auto" {
url = "<raw theme url>"
request_headers = {
Accept = "application/json"
}
}
```
or natively via `kubectl`:
```bash
kubectl create secret generic gitea-themes --from-file={{FULL-PATH-TO-CSS}} --namespace gitea
```
## Renovate
To be able to use a digest value which is automatically updated by `Renovate` a [customManager](https://docs.renovatebot.com/modules/manager/regex/) is required.
Here's an examplary `values.yml` definition which makes use of a digest:
```yaml
image:
registry: codeberg.org
repository: forgejo/forgejo
tag: 1.20.2-0
digest: sha256:f597c14a403c2fdee9a62dae8bae29d6442f7b2cc85872cc9bb535a24cb1630e
```
By default Renovate adds digest after the `tag`.
To comply with the Forgejo helm chart definition of the digest parameter, a "customManagers" definition is required:
```json
"customManagers": [
{
"customType": "regex",
"description": "Apply an explicit gitea digest field match",
"fileMatch": ["values\\.ya?ml"],
"matchStrings": ["(?<depName>forgejo\\/forgejo)\\n(?<indentation>\\s+)tag: (?<currentValue>[^@].*?)\\n\\s+digest: (?<currentDigest>sha256:[a-f0-9]+)"],
"datasourceTemplate": "docker",
"packageNameTemplate": "codeberg.org/{{depName}}",
"autoReplaceStringTemplate": "{{depName}}\n{{indentation}}tag: {{newValue}}\n{{indentation}}digest: {{#if newDigest}}{{{newDigest}}}{{else}}{{{currentDigest}}}{{/if}}"
}
]
```
## Parameters ## Parameters
### Global ### Global
| Name | Description | Value | | Name | Description | Value |
| ------------------------- | ------------------------------------------------------------------------- | --------------- | | ------------------------- | ------------------------------------------------------------------------- | ----- |
| `global.imageRegistry` | global image registry override | `""` | | `global.imageRegistry` | global image registry override | `""` |
| `global.imagePullSecrets` | global image pull secrets override; can be extended by `imagePullSecrets` | `[]` | | `global.imagePullSecrets` | global image pull secrets override; can be extended by `imagePullSecrets` | `[]` |
| `global.storageClass` | global storage class override | `""` | | `global.storageClass` | global storage class override | `""` |
| `global.hostAliases` | global hostAliases which will be added to the pod's hosts files | `[]` | | `global.hostAliases` | global hostAliases which will be added to the pod's hosts files | `[]` |
| `replicaCount` | number of replicas for the statefulset | `1` | | `replicaCount` | number of replicas for the deployment | `1` |
### strategy
| Name | Description | Value |
| --------------------------------------- | -------------- | --------------- |
| `strategy.type` | strategy type | `RollingUpdate` |
| `strategy.rollingUpdate.maxSurge` | maxSurge | `100%` |
| `strategy.rollingUpdate.maxUnavailable` | maxUnavailable | `0` |
| `clusterDomain` | cluster domain | `cluster.local` | | `clusterDomain` | cluster domain | `cluster.local` |
### Image ### Image
| Name | Description | Value | | Name | Description | Value |
| ------------------ | ----------------------------------------------------------------------------------------------------------------------------------- | ----------------- | | -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- |
| `image.registry` | image registry, e.g. gcr.io,docker.io | `codeberg.org` | | `image.registry` | image registry, e.g. gcr.io,docker.io | `codeberg.org` |
| `image.repository` | Image to start for this pod | `forgejo/forgejo` | | `image.repository` | Image to start for this pod | `forgejo/forgejo` |
| `image.tag` | Visit: [Image tag](https://codeberg.org/forgejo/-/packages/container/forgejo/versions). Defaults to `appVersion` within Chart.yaml. | `""` | | `image.tag` | Visit: [Image tag](https://codeberg.org/forgejo/-/packages/container/forgejo/versions). Defaults to `appVersion` within Chart.yaml. | `""` |
| `image.pullPolicy` | Image pull policy | `Always` | | `image.digest` | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest` | `""` |
| `image.rootless` | Wether or not to pull the rootless version of Forgejo, only works on Forgejo 1.14.x or higher | `false` | | `image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `image.rootless` | Wether or not to pull the rootless version of Forgejo | `true` |
| `image.fullOverride` | Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).** | `""` |
| `imagePullSecrets` | Secret to use for pulling the image | `[]` | | `imagePullSecrets` | Secret to use for pulling the image | `[]` |
### Security ### Security
@ -615,6 +825,7 @@ gitea:
| `podSecurityContext.fsGroup` | Set the shared file system group for all containers in the pod. | `1000` | | `podSecurityContext.fsGroup` | Set the shared file system group for all containers in the pod. | `1000` |
| `containerSecurityContext` | Security context | `{}` | | `containerSecurityContext` | Security context | `{}` |
| `securityContext` | Run init and Forgejo containers as a specific securityContext | `{}` | | `securityContext` | Run init and Forgejo containers as a specific securityContext | `{}` |
| `podDisruptionBudget` | Pod disruption budget | `{}` |
### Service ### Service
@ -622,7 +833,7 @@ gitea:
| --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | | --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
| `service.http.type` | Kubernetes service type for web traffic | `ClusterIP` | | `service.http.type` | Kubernetes service type for web traffic | `ClusterIP` |
| `service.http.port` | Port number for web traffic | `3000` | | `service.http.port` | Port number for web traffic | `3000` |
| `service.http.clusterIP` | ClusterIP setting for http autosetup for statefulset is None | `None` | | `service.http.clusterIP` | ClusterIP setting for http autosetup for deployment is None | `None` |
| `service.http.loadBalancerIP` | LoadBalancer IP setting | `nil` | | `service.http.loadBalancerIP` | LoadBalancer IP setting | `nil` |
| `service.http.nodePort` | NodePort for http service | `nil` | | `service.http.nodePort` | NodePort for http service | `nil` |
| `service.http.externalTrafficPolicy` | If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation | `nil` | | `service.http.externalTrafficPolicy` | If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation | `nil` |
@ -633,7 +844,7 @@ gitea:
| `service.http.annotations` | HTTP service annotations | `{}` | | `service.http.annotations` | HTTP service annotations | `{}` |
| `service.ssh.type` | Kubernetes service type for ssh traffic | `ClusterIP` | | `service.ssh.type` | Kubernetes service type for ssh traffic | `ClusterIP` |
| `service.ssh.port` | Port number for ssh traffic | `22` | | `service.ssh.port` | Port number for ssh traffic | `22` |
| `service.ssh.clusterIP` | ClusterIP setting for ssh autosetup for statefulset is None | `None` | | `service.ssh.clusterIP` | ClusterIP setting for ssh autosetup for deployment is None | `None` |
| `service.ssh.loadBalancerIP` | LoadBalancer IP setting | `nil` | | `service.ssh.loadBalancerIP` | LoadBalancer IP setting | `nil` |
| `service.ssh.nodePort` | NodePort for ssh service | `nil` | | `service.ssh.nodePort` | NodePort for ssh service | `nil` |
| `service.ssh.externalTrafficPolicy` | If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation | `nil` | | `service.ssh.externalTrafficPolicy` | If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation | `nil` |
@ -657,34 +868,50 @@ gitea:
| `ingress.tls` | Ingress tls settings | `[]` | | `ingress.tls` | Ingress tls settings | `[]` |
| `ingress.apiVersion` | Specify APIVersion of ingress object. Mostly would only be used for argocd. | | | `ingress.apiVersion` | Specify APIVersion of ingress object. Mostly would only be used for argocd. | |
### StatefulSet ### deployment
| Name | Description | Value | | Name | Description | Value |
| ------------------------------------------- | ------------------------------------------------------ | ----- | | ------------------------------------------ | ------------------------------------------------------ | ----- |
| `resources` | Kubernetes resources | `{}` | | `resources` | Kubernetes resources | `{}` |
| `schedulerName` | Use an alternate scheduler, e.g. "stork" | `""` | | `schedulerName` | Use an alternate scheduler, e.g. "stork" | `""` |
| `nodeSelector` | NodeSelector for the statefulset | `{}` | | `nodeSelector` | NodeSelector for the deployment | `{}` |
| `tolerations` | Tolerations for the statefulset | `[]` | | `tolerations` | Tolerations for the deployment | `[]` |
| `affinity` | Affinity for the statefulset | `{}` | | `affinity` | Affinity for the deployment | `{}` |
| `dnsConfig` | dnsConfig for the statefulset | `{}` | | `topologySpreadConstraints` | TopologySpreadConstraints for the deployment | `[]` |
| `statefulset.env` | Additional environment variables to pass to containers | `[]` | | `dnsConfig` | dnsConfig for the deployment | `{}` |
| `statefulset.terminationGracePeriodSeconds` | How long to wait until forcefully kill the pod | `60` | | `priorityClassName` | priorityClassName for the deployment | `""` |
| `statefulset.labels` | Labels for the statefulset | `{}` | | `deployment.env` | Additional environment variables to pass to containers | `[]` |
| `statefulset.annotations` | Annotations for the Forgejo StatefulSet to be created | `{}` | | `deployment.terminationGracePeriodSeconds` | How long to wait until forcefully kill the pod | `60` |
| `deployment.labels` | Labels for the deployment | `{}` |
| `deployment.annotations` | Annotations for the Forgejo deployment to be created | `{}` |
### ServiceAccount
| Name | Description | Value |
| --------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| `serviceAccount.create` | Enable the creation of a ServiceAccount | `false` |
| `serviceAccount.name` | Name of the created ServiceAccount, defaults to release name. Can also link to an externally provided ServiceAccount that should be used. | `""` |
| `serviceAccount.automountServiceAccountToken` | Enable/disable auto mounting of the service account token | `false` |
| `serviceAccount.imagePullSecrets` | Image pull secrets, available to the ServiceAccount | `[]` |
| `serviceAccount.annotations` | Custom annotations for the ServiceAccount | `{}` |
| `serviceAccount.labels` | Custom labels for the ServiceAccount | `{}` |
### Persistence ### Persistence
| Name | Description | Value | | Name | Description | Value |
| ---------------------------- | ------------------------------------------------------------------------------------------------------- | ------------------- | | ------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | ---------------------- |
| `persistence.enabled` | Enable persistent storage | `true` | | `persistence.enabled` | Enable persistent storage | `true` |
| `persistence.existingClaim` | Use an existing claim to store repository information | `nil` | | `persistence.create` | Whether to create the persistentVolumeClaim for shared storage | `true` |
| `persistence.mount` | Whether the persistentVolumeClaim should be mounted (even if not created) | `true` |
| `persistence.claimName` | Use an existing claim to store repository information | `gitea-shared-storage` |
| `persistence.size` | Size for persistence to store repo information | `10Gi` | | `persistence.size` | Size for persistence to store repo information | `10Gi` |
| `persistence.accessModes` | AccessMode for persistence | `["ReadWriteOnce"]` | | `persistence.accessModes` | AccessMode for persistence | `["ReadWriteOnce"]` |
| `persistence.labels` | Labels for the persistence volume claim to be created | `{}` | | `persistence.labels` | Labels for the persistence volume claim to be created | `{}` |
| `persistence.annotations` | Annotations for the persistence volume claim to be created | `{}` | | `persistence.annotations.helm.sh/resource-policy` | Resource policy for the persistence volume claim | `keep` |
| `persistence.storageClass` | Name of the storage class to use | `nil` | | `persistence.storageClass` | Name of the storage class to use | `nil` |
| `persistence.subPath` | Subdirectory of the volume to mount at | `nil` | | `persistence.subPath` | Subdirectory of the volume to mount at | `nil` |
| `extraVolumes` | Additional volumes to mount to the Forgejo statefulset | `[]` | | `persistence.volumeName` | Name of persistent volume in PVC | `""` |
| `extraVolumes` | Additional volumes to mount to the Forgejo deployment | `[]` |
| `extraContainerVolumeMounts` | Mounts that are only mapped into the Forgejo runtime/main container, to e.g. override custom templates. | `[]` | | `extraContainerVolumeMounts` | Mounts that are only mapped into the Forgejo runtime/main container, to e.g. override custom templates. | `[]` |
| `extraInitVolumeMounts` | Mounts that are only mapped into the init-containers. Can be used for additional preconfiguration. | `[]` | | `extraInitVolumeMounts` | Mounts that are only mapped into the init-containers. Can be used for additional preconfiguration. | `[]` |
| `extraVolumeMounts` | **DEPRECATED** Additional volume mounts for init containers and the Forgejo main container | `[]` | | `extraVolumeMounts` | **DEPRECATED** Additional volume mounts for init containers and the Forgejo main container | `[]` |
@ -692,8 +919,11 @@ gitea:
### Init ### Init
| Name | Description | Value | | Name | Description | Value |
| --------------- | --------------------------------------------------------------------- | ----- | | ------------------------------------------ | ------------------------------------------------------------------------------------ | ------- |
| `initPreScript` | Bash shell script copied verbatim to the start of the init-container. | `""` | | `initPreScript` | Bash shell script copied verbatim to the start of the init-container. | `""` |
| `initContainers.resources.limits` | initContainers.limits Kubernetes resource limits for init containers | `{}` |
| `initContainers.resources.requests.cpu` | initContainers.requests.cpu Kubernetes cpu resource limits for init containers | `100m` |
| `initContainers.resources.requests.memory` | initContainers.requests.memory Kubernetes memory resource limits for init containers | `128Mi` |
### Signing ### Signing
@ -707,7 +937,7 @@ gitea:
### Gitea ### Gitea
| Name | Description | Value | | Name | Description | Value |
| -------------------------------------- | --------------------------------------------------------------------------------------------------------------- | -------------------- | | -------------------------------------- | --------------------------------------------------------------------------- | -------------------- |
| `gitea.admin.username` | Username for the Forgejo admin user | `gitea_admin` | | `gitea.admin.username` | Username for the Forgejo admin user | `gitea_admin` |
| `gitea.admin.existingSecret` | Use an existing secret to store admin user credentials | `nil` | | `gitea.admin.existingSecret` | Use an existing secret to store admin user credentials | `nil` |
| `gitea.admin.password` | Password for the Forgejo admin user | `r8sA8CPHD9!bt6d` | | `gitea.admin.password` | Password for the Forgejo admin user | `r8sA8CPHD9!bt6d` |
@ -716,10 +946,12 @@ gitea:
| `gitea.metrics.serviceMonitor.enabled` | Enable Forgejo metrics service monitor | `false` | | `gitea.metrics.serviceMonitor.enabled` | Enable Forgejo metrics service monitor | `false` |
| `gitea.ldap` | LDAP configuration | `[]` | | `gitea.ldap` | LDAP configuration | `[]` |
| `gitea.oauth` | OAuth configuration | `[]` | | `gitea.oauth` | OAuth configuration | `[]` |
| `gitea.config` | Configuration for the Forgejo server,ref: [config-cheat-sheet](https://docs.gitea.io/en-us/config-cheat-sheet/) | `{}` | | `gitea.config.server.SSH_PORT` | SSH port for rootlful Forgejo image | `22` |
| `gitea.config.server.SSH_LISTEN_PORT` | SSH port for rootless Forgejo image | `2222` |
| `gitea.additionalConfigSources` | Additional configuration from secret or configmap | `[]` | | `gitea.additionalConfigSources` | Additional configuration from secret or configmap | `[]` |
| `gitea.additionalConfigFromEnvs` | Additional configuration sources from environment variables | `[]` | | `gitea.additionalConfigFromEnvs` | Additional configuration sources from environment variables | `[]` |
| `gitea.podAnnotations` | Annotations for the Forgejo pod | `{}` | | `gitea.podAnnotations` | Annotations for the Forgejo pod | `{}` |
| `gitea.ssh.logLevel` | Configure OpenSSH's log level. Only available for root-based Forgejo image. | `INFO` |
### LivenessProbe ### LivenessProbe
@ -757,62 +989,52 @@ gitea:
| `gitea.startupProbe.successThreshold` | Success threshold for startup probe | `1` | | `gitea.startupProbe.successThreshold` | Success threshold for startup probe | `1` |
| `gitea.startupProbe.failureThreshold` | Failure threshold for startup probe | `10` | | `gitea.startupProbe.failureThreshold` | Failure threshold for startup probe | `10` |
### Memcached ### redis-cluster
Memcached is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/memcached) if enabled in the values. Complete Configuration can be taken from their website.
| Name | Description | Value | | Name | Description | Value |
| ----------------------------------- | ------------------ | ------- | | -------------------------------- | -------------------------------------------- | ------- |
| `memcached.enabled` | Enable Memcached | `true` | | `redis-cluster.enabled` | Enable redis | `true` |
| `memcached.service.ports.memcached` | Port for Memcached | `11211` | | `redis-cluster.usePassword` | Whether to use password authentication | `false` |
| `redis-cluster.cluster.nodes` | Number of redis cluster master nodes | `3` |
| `redis-cluster.cluster.replicas` | Number of redis cluster master node replicas | `0` |
### PostgreSQL-ha
| Name | Description | Value |
| ------------------------------------------- | ---------------------------------------------------------------- | ----------- |
| `postgresql-ha.enabled` | Enable PostgreSQL-ha | `true` |
| `postgresql-ha.postgresql.password` | Password for the `gitea` user (overrides `auth.password`) | `changeme4` |
| `postgresql-ha.global.postgresql.database` | Name for a custom database to create (overrides `auth.database`) | `gitea` |
| `postgresql-ha.global.postgresql.username` | Name for a custom user to create (overrides `auth.username`) | `gitea` |
| `postgresql-ha.global.postgresql.password` | Name for a custom password to create (overrides `auth.password`) | `gitea` |
| `postgresql-ha.postgresql.repmgrPassword` | Repmgr Password | `changeme2` |
| `postgresql-ha.postgresql.postgresPassword` | postgres Password | `changeme1` |
| `postgresql-ha.pgpool.adminPassword` | pgpool adminPassword | `changeme3` |
| `postgresql-ha.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `5432` |
| `postgresql-ha.primary.persistence.size` | PVC Storage Request for PostgreSQL-ha volume | `10Gi` |
### PostgreSQL ### PostgreSQL
PostgreSQL is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) if enabled in the values. Complete Configuration can be taken from their website. PostgreSQL is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) if enabled in the values. Complete Configuration can be taken from their website.
| Name | Description | Value | | Name | Description | Value |
| --------------------------------------------- | ----------------------------------------- | ------- | | ------------------------------------------------------- | ---------------------------------------------------------------- | ------- |
| `postgresql.enabled` | Enable PostgreSQL | `true` | | `postgresql.enabled` | Enable PostgreSQL | `false` |
| `postgresql.auth.database` | PostgreSQL database | `gitea` | | `postgresql.global.postgresql.auth.password` | Password for the `gitea` user (overrides `auth.password`) | `gitea` |
| `postgresql.auth.username` | PostgreSQL username | `gitea` | | `postgresql.global.postgresql.auth.database` | Name for a custom database to create (overrides `auth.database`) | `gitea` |
| `postgresql.auth.password` | PostgreSQL username | `gitea` | | `postgresql.global.postgresql.auth.username` | Name for a custom user to create (overrides `auth.username`) | `gitea` |
| `postgresql.auth.postgresPassword` | PostgreSQL admin password | `gitea` | | `postgresql.global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `5432` |
| `postgresql.primary.service.ports.postgresql` | Port to connect to PostgreSQL service | `5432` |
| `postgresql.primary.persistence.size` | PVC Storage Request for PostgreSQL volume | `10Gi` | | `postgresql.primary.persistence.size` | PVC Storage Request for PostgreSQL volume | `10Gi` |
### MySQL
MySQL is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/mysql) if enabled in the values. Complete Configuration can be taken from their website.
| Name | Description | Value |
| ----------------------------------- | ------------------------------------------------------------------ | ------- |
| `mysql.enabled` | Enable MySQL | `false` |
| `mysql.auth.database` | Name for new database to create. | `gitea` |
| `mysql.auth.username` | Username of new user to create. | `gitea` |
| `mysql.auth.password` | Password for the new user.Ignored if existing secret is provided | `gitea` |
| `mysql.auth.rootPassword` | Password for the root user. Ignored if existing secret is provided | `gitea` |
| `mysql.primary.service.ports.mysql` | Port to connect to MySQL service | `3306` |
| `mysql.primary.persistence.size` | PVC Storage Request for MySQL volume | `10Gi` |
### MariaDB
MariaDB is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/mariadb) if enabled in the values. Complete Configuration can be taken from their website.
| Name | Description | Value |
| ------------------------------------- | ----------------------------------------------------------------- | ------- |
| `mariadb.enabled` | Enable MariaDB | `false` |
| `mariadb.auth.database` | Name of the database to create. | `gitea` |
| `mariadb.auth.username` | Username of the new user to create. | `gitea` |
| `mariadb.auth.password` | Password for the new user. Ignored if existing secret is provided | `gitea` |
| `mariadb.auth.rootPassword` | Password for the root user. | `gitea` |
| `mariadb.primary.service.ports.mysql` | Port to connect to MariaDB service | `3306` |
| `mariadb.primary.persistence.size` | Persistence size for MariaDB | `10Gi` |
### Advanced ### Advanced
| Name | Description | Value | | Name | Description | Value |
| ------------------ | ---------------------------------------------------- | ------ | | ------------------ | ------------------------------------------------------------------ | --------- |
| `checkDeprecation` | Set it to false to skip this basic validation check. | `true` | | `checkDeprecation` | Set it to false to skip this basic validation check. | `true` |
| `test.enabled` | Set it to false to disable test-connection Pod. | `true` |
| `test.image.name` | Image name for the wget container used in the test-connection Pod. | `busybox` |
| `test.image.tag` | Image tag for the wget container used in the test-connection Pod. | `latest` |
| `extraDeploy` | Array of extra objects to deploy with the release | `[]` |
## Contributing ## Contributing
@ -823,4 +1045,5 @@ See [CONTRIBUTORS GUIDE](CONTRIBUTING.md) for details.
## Upgrading ## Upgrading
This section lists major and breaking changes of each Helm Chart version. This section lists major and breaking changes of each Helm Chart version.
Please read them carefully to upgrade successfully. Please read them carefully to upgrade successfully, especially the change of the **default database backend**!
If you miss this, blindly upgrading may delete your Postgres instance and you may lose your data!

2
artifacthub-repo.yml
View file

@ -3,7 +3,7 @@
# https://artifacthub.io/docs/topics/repositories/helm-charts/#oci-support # https://artifacthub.io/docs/topics/repositories/helm-charts/#oci-support
# publish via: # publish via:
# oras push codeberg.org/forgejo-contrib/forgejo:artifacthub.io --config artifacthub.config.json:application/vnd.cncf.artifacthub.config.v1+yaml artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml # oras push codeberg.org/forgejo-contrib/forgejo:artifacthub.io --config artifacthub.config.json:application/vnd.cncf.artifacthub.config.v1+yaml artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml
repositoryID: 'ec84c95a-a288-4aaa-a690-a656b57e3136' repositoryID: "ec84c95a-a288-4aaa-a690-a656b57e3136"
owners: # (optional, used to claim repository ownership) owners: # (optional, used to claim repository ownership)
- name: viceice - name: viceice
email: michael.kriese@visualon.de email: michael.kriese@visualon.de

178
docs/ha-setup.md Normal file
View file

@ -0,0 +1,178 @@
# High Availability
All components (in-memory DB, volume/asset storage, code indexer) used by Forgejo must be deployed in a HA-ready fashion to achieve a full HA-ready Forgejo deployment.
The following document explains how to achieve this for all individual components.
The resulting Forgejo deployment will consist of ~ 10 pods (depending on the chosen components and their replicas).
One should evaluate upfront whether a HA-deployment is required as switching between HA/non-HA comes with some effort.
For production instances, HA is always recommended to increase uptime and have a frictionless update process.
A general comment about chart dependencies and external services:
Instead of relying on chart dependencies, it is often better to rely on an external, (managed) instances (in-memory database, asset storage provider, database, etc.).
Many cloud providers offer such services, at least for databases or in-memory databases.
They might cost a bit more than using a self-hosted k8s variant but are usually easier to maintain and scale, if needed.
Also they can be centrally managed and are not linked to the Forgejo helm chart or namespace.
Please consider using external services before you start with your Forgejo HA setup, it will make your life (and the life of the Forgejo maintainers) easier.
This helm chart tries to help as much as possible to simplify and assert the provisioning of a HA-ready Forgejo instance by implementing smart conditionals if `replicaCount` is set to a value > 1.
Nevertheless, we cannot guarantee for every possible combination of Forgejo settings to work together perfectly in a HA setup.
As a general advice, we recommend to have a test environment aside on which to test possible changes/upgrades before applying these to a production installation.
## Requirements for HA
Storage-wise, the HA-Forgejo setup requires a RWX file-system which can be shared among the deployment-based replica pods.
In addition, the following components are required for full HA-readiness:
- A HA-ready issue (and optionally code) indexer: `elasticsearch` or `meilisearch`
- A HA-ready external object/asset storage (`minio`) (optional, assets can also be stored on the RWX file-system)
- A HA-ready cache (`redis-cluster`)
- A HA-ready DB
`postgres.enabled`, which default to `true`, must be set to `false` for a HA setup.
The default `postgres` chart dependency is not HA-ready (there's a dedicated `postgres-ha` chart).
The following sections discuss each of the components in more detail.
Note that for each component discussed, the shown configurations only provides a (working) starting point, not necessarily the most optimal setup.
We try to optimize this document over time as we have gained more experience with HA setups from users.
## Indexers (Issues and code/repo)
The default code indexer `bleve` is not able to allow multiple connections and hence cannot be used in a HA setup.
Alternatives are `elasticsearch` and `meilisearch` (as of >= 1.19.2).
Unless you have an existing `elasticsearch` cluster, we recommend using `meilisearch` as it is faster and requires way less resources.
Unfortunately, `meilisearch` does only support the `ISSUE_INDEXER` and not the `REPO_INDEXER` yet ([tracking issue](https://github.com/go-gitea/gitea/pull/24149)).
This means that the `REPO_INDEXER` must still be disabled for a HA setup right now.
An alternative to the two options above for the `ISSUE_INDEXER` is `"db"`, however we recommend to just go with `meilisearch` in this case and to not bother the DB with indexing.
To configure `meilisearch` within Forgejo, do the following:
```yml
gitea:
config:
indexer:
ISSUE_INDEXER_CONN_STR: <http://meilisearch.<namespace>.svc.cluster.local:7700>
ISSUE_INDEXER_ENABLED: true
ISSUE_INDEXER_TYPE: meilisearch
REPO_INDEXER_ENABLED: false
# REPO_INDEXER_TYPE: meilisearch # not yet working
```
Unfortunately `meilisearch` cannot be deployed in HA as of now.
Nevertheless it allows for multiple Forgejo requests at the same time and is therefore required in a HA setup.
Exemplary configuration for the [meilisearch-kubernetes](https://github.com/meilisearch/meilisearch-kubernetes/tree/main/charts/meilisearch) chart:
```yaml
persistence:
enabled: true
accessMode: ReadWriteOnce
size: 5Gi
```
## Cache, session and queue
A `redis` instance is required for the in-memory cache.
Two options exist:
- `redis`
- `redis-cluster`
The chart provides `redis-cluster` as a dependency as this one can be used for both HA and non-HA setups.
You're also welcome to go with `redis` if you prefer or already have a running instance.
It should be noted that `redis-cluster` support is only available starting with Forgejo 1.19.2.
You can also configure an external (managed) `redis` instance to be used.
To do so, you need to set the following configuration values yourself:
- `gitea.config.queue.TYPE`: redis`
- `gitea.config.queue.CONN_STR`: `<your redis connection string>`
- `gitea.config.session.PROVIDER`: `redis`
- `gitea.config.session.PROVIDER_CONFIG`: `<your redis connection string>`
- `gitea.config.cache.ENABLED`: `true`
- `gitea.config.cache.ADAPTER`: `redis`
- `gitea.config.cache.HOST`: `<your redis connection string>`
By default, the `redis-cluster` chart provisions three standalone master nodes of which each has a single replica.
To reduce the number of pods for a default Forgejo deployment, we opted to omit the replicas (`replicas: 0`) by default.
Only the minimum required number of master pods for a functional `redis-cluster` deployment are provisioned.
For a "proper" `redis-cluster` setup however, we recommend to set `replicas: 1` and `nodes: 6`.
## Object and asset storage
Object/asset storage refers to the storage of attachments, avatars, LFS files, etc.
While most of these can be stored on the RWX file-system, it is recommended to use an external S3-compatible object storage for such, mainly for performance reasons.
By default the chart provisions a single RWO volume to store everything (repos, avatars, packages, etc.).
This volume cannot be mounted by multiple pods.
Hence, a RWX volume is required and (optionally) an external HA-ready object storage.
> **Note:** Double-check that the file permissions are set correctly on the RWX volume! That is everything should be owned by the `git` user which usually has `uid=1000` and `gid=1000`.
To use `minio` you need to deploy and configure an external `minio` instance yourself and explicitly define the `STORAGE_TYPE` values as shown below.
Note that `MINIO_BUCKET` here is just a name and does not refer to a S3 bucket.
It's the root access point for all objects belonging to the respective application, i.e., to Forgejo in this case.
```yaml
gitea:
config:
attachment:
STORAGE_TYPE: minio
lfs:
STORAGE_TYPE: minio
picture:
AVATAR_STORAGE_TYPE: minio
"storage.packages":
STORAGE_TYPE: minio
storage:
MINIO_ENDPOINT: <minio-headless.<namespace>.svc.cluster.local:9000>
MINIO_LOCATION: <location>
MINIO_ACCESS_KEY_ID: <access key>
MINIO_SECRET_ACCESS_KEY: <secret key>
MINIO_BUCKET: <bucket name>
MINIO_USE_SSL: false
```
Exemplary configuration for the [bitnami minio](https://github.com/bitnami/charts/blob/main/bitnami/minio) chart:
```yaml
auth:
rootUser: minio
mode: distributed
replicaCount: 4
persistence:
enabled: true
size: 20Gi
accessModes:
- ReadWriteOnce
```
## Database
If you do not have an HA-ready DB, using a managed database service in the cloud might be the easiest and most robust solution.
Remember: disable the built-in `postgres` dependency and configure the database connection manually via `gitea.config.database`:
```yml
gitea:
database:
builtIn:
postgresql:
enabled: false
config:
database:
DB_TYPE: postgres
HOST: <host>
NAME: <name>
USER: <user>
```
## Known issues
- Currently Cron jobs are run on all replicas as no leader election is implemented.
See [https://github.com/go-gitea/gitea/issues/13791](https://github.com/go-gitea/gitea/issues/13791) for a discussion and possible solution.
- Running with multiple replicas slows down Forgejo a bit, i.e. page loading time increases.

3371
package-lock.json generated
View file

File diff suppressed because it is too large Load diff

6
package.json
View file

@ -15,8 +15,8 @@
}, },
"devDependencies": { "devDependencies": {
"@bitnami/readme-generator-for-helm": "^2.4.2", "@bitnami/readme-generator-for-helm": "^2.4.2",
"conventional-changelog-conventionalcommits": "^5.0.0", "conventional-changelog-conventionalcommits": "^7.0.0",
"conventional-changelog-core": "^4.2.4", "conventional-changelog-core": "^7.0.0",
"markdownlint-cli": "^0.33.0" "markdownlint-cli": "^0.37.0"
} }
} }

33
renovate.json
View file

@ -31,17 +31,44 @@
"matchManagers": ["helmv3"], "matchManagers": ["helmv3"],
"matchFiles": ["Chart.yaml"], "matchFiles": ["Chart.yaml"],
"matchUpdateTypes": ["patch"], "matchUpdateTypes": ["patch"],
"automerge": true, "automerge": true
"platformAutomerge": true },
{
"description": "Automerge dev deps updates",
"matchManagers": ["npm"],
"matchDepTypes": ["devDependencies"],
"automerge": true
} }
], ],
"regexManagers": [ "customManagers": [
{ {
"description": "Update forgeo version in chart",
"customType": "regex",
"fileMatch": ["^Chart\\.yaml$"], "fileMatch": ["^Chart\\.yaml$"],
"matchStrings": ["appVersion: (?<currentValue>.+?)\\s"], "matchStrings": ["appVersion: (?<currentValue>.+?)\\s"],
"depNameTemplate": "forgejo", "depNameTemplate": "forgejo",
"packageNameTemplate": "codeberg.org/forgejo/forgejo", "packageNameTemplate": "codeberg.org/forgejo/forgejo",
"datasourceTemplate": "docker" "datasourceTemplate": "docker"
},
{
"description": "Update helm unittest plugin",
"customType": "regex",
"fileMatch": ["^\\.woodpecker/[a-z-]+\\.yml$"],
"matchStrings": [
"helm plugin install --version (?<currentValue>.+?) https://github.com/helm-unittest/helm-unittest\\s"
],
"depNameTemplate": "helm-unittest",
"packageNameTemplate": "helm-unittest/helm-unittest",
"datasourceTemplate": "github-releases"
},
{
"description": "Detect helm-unittest yaml schema file",
"customType": "regex",
"fileMatch": [".vscode/settings\\.json$"],
"matchStrings": [
"https:\\/\\/raw\\.githubusercontent\\.com\\/(?<depName>[^\\s]+?)\\/(?<currentValue>v[0-9.]+?)\\/schema\\/helm-testsuite\\.json"
],
"datasourceTemplate": "github-releases"
} }
] ]
} }

139
templates/_helpers.tpl
View file

@ -2,6 +2,27 @@
{{/* {{/*
Expand the name of the chart. Expand the name of the chart.
*/}} */}}
{{- /* multiple replicas assertions */ -}}
{{- if gt .Values.replicaCount 1.0 -}}
{{- fail "When using multiple replicas, a RWX file system is required" -}}
{{- if eq (get (.Values.persistence.accessModes 0) "ReadWriteOnce") -}}
{{- fail "When using multiple replicas, a RWX file system is required" -}}
{{- end }}
{{- if eq (get .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE") "bleve" -}}
{{- fail "When using multiple replicas, the repo indexer must be set to 'meilisearch' or 'elasticsearch'" -}}
{{- end }}
{{- if and (eq .Values.gitea.config.indexer.REPO_INDEXER_TYPE "bleve") (eq .Values.gitea.config.indexer.REPO_INDEXER_ENABLED "true") -}}
{{- fail "When using multiple replicas, the repo indexer must be set to 'meilisearch' or 'elasticsearch'" -}}
{{- end }}
{{- if eq .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE "bleve" -}}
{{- (printf "DEBUG: When using multiple replicas, the repo indexer must be set to 'meilisearch' or 'elasticsearch'") | fail -}}
{{- end }}
{{- end }}
{{- define "gitea.name" -}} {{- define "gitea.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}} {{- end -}}
@ -35,14 +56,22 @@ Create chart name and version as used by the chart label.
Create image name and tag used by the deployment. Create image name and tag used by the deployment.
*/}} */}}
{{- define "gitea.image" -}} {{- define "gitea.image" -}}
{{- $fullOverride := .Values.image.fullOverride | default "" -}}
{{- $registry := .Values.global.imageRegistry | default .Values.image.registry -}} {{- $registry := .Values.global.imageRegistry | default .Values.image.registry -}}
{{- $name := .Values.image.repository -}} {{- $repository := .Values.image.repository -}}
{{- $separator := ":" -}}
{{- $tag := .Values.image.tag | default .Chart.AppVersion -}} {{- $tag := .Values.image.tag | default .Chart.AppVersion -}}
{{- $rootless := ternary "-rootless" "" (.Values.image.rootless) -}} {{- $rootless := ternary "-rootless" "" (.Values.image.rootless) -}}
{{- if $registry -}} {{- $digest := "" -}}
{{- printf "%s/%s:%s%s" $registry $name $tag $rootless -}} {{- if .Values.image.digest }}
{{- $digest = (printf "@%s" (.Values.image.digest | toString)) -}}
{{- end -}}
{{- if $fullOverride }}
{{- printf "%s" $fullOverride -}}
{{- else if $registry }}
{{- printf "%s/%s%s%s%s%s" $registry $repository $separator $tag $rootless $digest -}}
{{- else -}} {{- else -}}
{{- printf "%s:%s%s" $name $tag $rootless -}} {{- printf "%s%s%s%s%s" $repository $separator $tag $rootless $digest -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
@ -91,24 +120,38 @@ app.kubernetes.io/name: {{ include "gitea.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}} {{- end -}}
{{- define "postgresql-ha.dns" -}}
{{- if (index .Values "postgresql-ha").enabled -}}
{{- printf "%s-postgresql-ha-pgpool.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}}
{{- end -}}
{{- end -}}
{{- define "postgresql.dns" -}} {{- define "postgresql.dns" -}}
{{- printf "%s-postgresql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.postgresql.primary.service.ports.postgresql -}} {{- if (index .Values "postgresql").enabled -}}
{{- printf "%s-postgresql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.postgresql.global.postgresql.service.ports.postgresql -}}
{{- end -}}
{{- end -}} {{- end -}}
{{- define "mysql.dns" -}} {{- define "redis.dns" -}}
{{- printf "%s-mysql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.mysql.primary.service.ports.mysql | trunc 63 | trimSuffix "-" -}} {{- if (index .Values "redis-cluster").enabled -}}
{{- printf "redis+cluster://:%s@%s-redis-cluster-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "redis-cluster").global.redis.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "redis-cluster").service.ports.redis -}}
{{- end -}}
{{- end -}} {{- end -}}
{{- define "mariadb.dns" -}} {{- define "redis.port" -}}
{{- printf "%s-mariadb.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.mariadb.primary.service.ports.mysql | trunc 63 | trimSuffix "-" -}} {{- if (index .Values "redis-cluster").enabled -}}
{{ (index .Values "redis-cluster").service.ports.redis }}
{{- end -}}
{{- end -}} {{- end -}}
{{- define "memcached.dns" -}} {{- define "redis.servicename" -}}
{{- printf "%s-memcached.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.memcached.service.ports.memcached | trunc 63 | trimSuffix "-" -}} {{- if (index .Values "redis-cluster").enabled -}}
{{- printf "%s-redis-cluster-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
{{- end -}}
{{- end -}} {{- end -}}
{{- define "gitea.default_domain" -}} {{- define "gitea.default_domain" -}}
{{- printf "%s-gitea.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain | trunc 63 | trimSuffix "-" -}} {{- printf "%s-http.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain -}}
{{- end -}} {{- end -}}
{{- define "gitea.ldap_settings" -}} {{- define "gitea.ldap_settings" -}}
@ -190,6 +233,7 @@ https
{{- else -}} {{- else -}}
{{- (printf "Key %s cannot be on top level of configuration" $key) | fail -}} {{- (printf "Key %s cannot be on top level of configuration" $key) | fail -}}
{{- end -}} {{- end -}}
{{- end }} {{- end }}
{{- end }} {{- end }}
@ -219,6 +263,18 @@ https
{{- if not (hasKey .Values.gitea.config "oauth2") -}} {{- if not (hasKey .Values.gitea.config "oauth2") -}}
{{- $_ := set .Values.gitea.config "oauth2" dict -}} {{- $_ := set .Values.gitea.config "oauth2" dict -}}
{{- end -}} {{- end -}}
{{- if not (hasKey .Values.gitea.config "session") -}}
{{- $_ := set .Values.gitea.config "session" dict -}}
{{- end -}}
{{- if not (hasKey .Values.gitea.config "queue") -}}
{{- $_ := set .Values.gitea.config "queue" dict -}}
{{- end -}}
{{- if not (hasKey .Values.gitea.config "queue.issue_indexer") -}}
{{- $_ := set .Values.gitea.config "queue.issue_indexer" dict -}}
{{- end -}}
{{- if not (hasKey .Values.gitea.config "indexer") -}}
{{- $_ := set .Values.gitea.config "indexer" dict -}}
{{- end -}}
{{- end -}} {{- end -}}
{{- define "gitea.inline_configuration.defaults" -}} {{- define "gitea.inline_configuration.defaults" -}}
@ -234,13 +290,27 @@ https
{{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}} {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}}
{{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}} {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
{{- end -}} {{- end -}}
{{- if .Values.memcached.enabled -}} {{- if (index .Values "redis-cluster").enabled -}}
{{- $_ := set .Values.gitea.config.cache "ENABLED" "true" -}} {{- $_ := set .Values.gitea.config.cache "ENABLED" "true" -}}
{{- $_ := set .Values.gitea.config.cache "ADAPTER" "memcache" -}} {{- $_ := set .Values.gitea.config.cache "ADAPTER" "redis" -}}
{{- if not (.Values.gitea.config.cache.HOST) -}} {{- if not (.Values.gitea.config.cache.HOST) -}}
{{- $_ := set .Values.gitea.config.cache "HOST" (include "memcached.dns" .) -}} {{- $_ := set .Values.gitea.config.cache "HOST" (include "redis.dns" .) -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- /* redis queue */ -}}
{{- if (index .Values "redis-cluster").enabled -}}
{{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}}
{{- $_ := set .Values.gitea.config.queue "CONN_STR" (include "redis.dns" .) -}}
{{- end -}}
{{- if not (get .Values.gitea.config.session "PROVIDER") -}}
{{- $_ := set .Values.gitea.config.session "PROVIDER" "redis" -}}
{{- end -}}
{{- if not (get .Values.gitea.config.session "PROVIDER_CONFIG") -}}
{{- $_ := set .Values.gitea.config.session "PROVIDER_CONFIG" (include "redis.dns" .) -}}
{{- end -}}
{{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}}
{{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}}
{{- end -}}
{{- end -}} {{- end -}}
{{- define "gitea.inline_configuration.defaults.server" -}} {{- define "gitea.inline_configuration.defaults.server" -}}
@ -252,7 +322,7 @@ https
{{- end -}} {{- end -}}
{{- if not (.Values.gitea.config.server.DOMAIN) -}} {{- if not (.Values.gitea.config.server.DOMAIN) -}}
{{- if gt (len .Values.ingress.hosts) 0 -}} {{- if gt (len .Values.ingress.hosts) 0 -}}
{{- $_ := set .Values.gitea.config.server "DOMAIN" (index .Values.ingress.hosts 0).host -}} {{- $_ := set .Values.gitea.config.server "DOMAIN" ( tpl (index .Values.ingress.hosts 0).host $) -}}
{{- else -}} {{- else -}}
{{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}} {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}}
{{- end -}} {{- end -}}
@ -287,30 +357,23 @@ https
{{- end -}} {{- end -}}
{{- define "gitea.inline_configuration.defaults.database" -}} {{- define "gitea.inline_configuration.defaults.database" -}}
{{- if .Values.postgresql.enabled -}} {{- if (index .Values "postgresql-ha" "enabled") -}}
{{- $_ := set .Values.gitea.config.database "DB_TYPE" "postgres" -}}
{{- if not (.Values.gitea.config.database.HOST) -}}
{{- $_ := set .Values.gitea.config.database "HOST" (include "postgresql-ha.dns" .) -}}
{{- end -}}
{{- $_ := set .Values.gitea.config.database "NAME" (index .Values "postgresql-ha" "global" "postgresql" "database") -}}
{{- $_ := set .Values.gitea.config.database "USER" (index .Values "postgresql-ha" "global" "postgresql" "username") -}}
{{- $_ := set .Values.gitea.config.database "PASSWD" (index .Values "postgresql-ha" "global" "postgresql" "password") -}}
{{- end -}}
{{- if (index .Values "postgresql" "enabled") -}}
{{- $_ := set .Values.gitea.config.database "DB_TYPE" "postgres" -}} {{- $_ := set .Values.gitea.config.database "DB_TYPE" "postgres" -}}
{{- if not (.Values.gitea.config.database.HOST) -}} {{- if not (.Values.gitea.config.database.HOST) -}}
{{- $_ := set .Values.gitea.config.database "HOST" (include "postgresql.dns" .) -}} {{- $_ := set .Values.gitea.config.database "HOST" (include "postgresql.dns" .) -}}
{{- end -}} {{- end -}}
{{- $_ := set .Values.gitea.config.database "NAME" .Values.postgresql.auth.database -}} {{- $_ := set .Values.gitea.config.database "NAME" .Values.postgresql.global.postgresql.auth.database -}}
{{- $_ := set .Values.gitea.config.database "USER" .Values.postgresql.auth.username -}} {{- $_ := set .Values.gitea.config.database "USER" .Values.postgresql.global.postgresql.auth.username -}}
{{- $_ := set .Values.gitea.config.database "PASSWD" .Values.postgresql.auth.password -}} {{- $_ := set .Values.gitea.config.database "PASSWD" .Values.postgresql.global.postgresql.auth.password -}}
{{- else if .Values.mysql.enabled -}}
{{- $_ := set .Values.gitea.config.database "DB_TYPE" "mysql" -}}
{{- if not (.Values.gitea.config.database.HOST) -}}
{{- $_ := set .Values.gitea.config.database "HOST" (include "mysql.dns" .) -}}
{{- end -}}
{{- $_ := set .Values.gitea.config.database "NAME" .Values.mysql.auth.database -}}
{{- $_ := set .Values.gitea.config.database "USER" .Values.mysql.auth.username -}}
{{- $_ := set .Values.gitea.config.database "PASSWD" .Values.mysql.auth.password -}}
{{- else if .Values.mariadb.enabled -}}
{{- $_ := set .Values.gitea.config.database "DB_TYPE" "mysql" -}}
{{- if not (.Values.gitea.config.database.HOST) -}}
{{- $_ := set .Values.gitea.config.database "HOST" (include "mariadb.dns" .) -}}
{{- end -}}
{{- $_ := set .Values.gitea.config.database "NAME" .Values.mariadb.auth.database -}}
{{- $_ := set .Values.gitea.config.database "USER" .Values.mariadb.auth.username -}}
{{- $_ := set .Values.gitea.config.database "PASSWD" .Values.mariadb.auth.password -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
@ -335,3 +398,7 @@ https
{{- define "gitea.gpg-key-secret-name" -}} {{- define "gitea.gpg-key-secret-name" -}}
{{ default (printf "%s-gpg-key" (include "gitea.fullname" .)) .Values.signing.existingSecret }} {{ default (printf "%s-gpg-key" (include "gitea.fullname" .)) .Values.signing.existingSecret }}
{{- end -}} {{- end -}}
{{- define "gitea.serviceAccountName" -}}
{{ .Values.serviceAccount.name | default (include "gitea.fullname" .) }}
{{- end -}}

57
templates/gitea/config.yaml
View file

@ -16,6 +16,37 @@ metadata:
{{- include "gitea.labels" . | nindent 4 }} {{- include "gitea.labels" . | nindent 4 }}
type: Opaque type: Opaque
stringData: stringData:
assertions: |
{{- /*assert that only one PG dep is enabled */ -}}
{{- if and (.Values.postgresql.enabled) (index .Values "postgresql-ha" "enabled") -}}
{{- fail "Only one of postgresql or postgresql-ha can be enabled at the same time." -}}
{{- end }}
{{- /* multiple replicas assertions */ -}}
{{- if gt .Values.replicaCount 1.0 -}}
{{- if (get (get .Values.gitea.config "cron.GIT_GC_REPOS") "ENABLED") -}}
{{- fail "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'cron.GIT_GC_REPOS.enabled = false'." -}}
{{- end }}
{{- if eq (first .Values.persistence.accessModes) "ReadWriteOnce" -}}
{{- fail "When using multiple replicas, a RWX file system is required and gitea.persistence.accessModes[0] must be set to ReadWriteMany." -}}
{{- end }}
{{- if eq (get .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE") "bleve" -}}
{{- fail "When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)." -}}
{{- end }}
{{- if .Values.gitea.config.indexer.REPO_INDEXER_TYPE -}}
{{- if eq (get .Values.gitea.config.indexer "REPO_INDEXER_TYPE") "bleve" -}}
{{- if .Values.gitea.config.indexer.REPO_INDEXER_ENABLED -}}
{{- if eq (get .Values.gitea.config.indexer "REPO_INDEXER_ENABLED") "true" -}}
{{- fail "When using multiple replicas, the repo indexer (gitea.config.indexer.REPO_INDEXER_TYPE) must be set to 'meilisearch' or 'elasticsearch' or disabled." -}}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
config_environment.sh: |- config_environment.sh: |-
#!/usr/bin/env bash #!/usr/bin/env bash
set -euo pipefail set -euo pipefail
@ -53,14 +84,14 @@ stringData:
env2ini::log " + '${setting}'" env2ini::log " + '${setting}'"
if [[ -z "${section}" ]]; then if [[ -z "${section}" ]]; then
export "ENV_TO_INI____${setting^^}=${value}" # '^^' makes the variable content uppercase export "FORGEJO____${setting^^}=${value}" # '^^' makes the variable content uppercase
return return
fi fi
local masked_section="${section//./_0X2E_}" # '//' instructs to replace all matches local masked_section="${section//./_0X2E_}" # '//' instructs to replace all matches
masked_section="${masked_section//-/_0X2D_}" masked_section="${masked_section//-/_0X2D_}"
export "ENV_TO_INI__${masked_section^^}__${setting^^}=${value}" # '^^' makes the variable content uppercase export "FORGEJO__${masked_section^^}__${setting^^}=${value}" # '^^' makes the variable content uppercase
} }
function env2ini::reload_preset_envs() { function env2ini::reload_preset_envs() {
@ -131,18 +162,18 @@ stringData:
function env2ini::generate_initial_secrets() { function env2ini::generate_initial_secrets() {
# These environment variables will either be # These environment variables will either be
# - overwritten with user defined values, # - overwritten with user defined values,
# - initially used to set up Gitea # - initially used to set up Forgejo
# Anyway, they won't harm existing app.ini files # Anyway, they won't harm existing app.ini files
export ENV_TO_INI__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN) export FORGEJO__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
export ENV_TO_INI__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY) export FORGEJO__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
export ENV_TO_INI__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET) export FORGEJO__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
export ENV_TO_INI__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET) export FORGEJO__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
env2ini::log "...Initial secrets generated\n" env2ini::log "...Initial secrets generated\n"
} }
env | (grep ENV_TO_INI || [[ $? == 1 ]]) > /tmp/existing-envs env | (grep FORGEJO || [[ $? == 1 ]]) > /tmp/existing-envs
# MUST BE CALLED BEFORE OTHER CONFIGURATION # MUST BE CALLED BEFORE OTHER CONFIGURATION
env2ini::generate_initial_secrets env2ini::generate_initial_secrets
@ -163,10 +194,10 @@ stringData:
env2ini::log ' - oauth2.JWT_SECRET' env2ini::log ' - oauth2.JWT_SECRET'
env2ini::log ' - server.LFS_JWT_SECRET' env2ini::log ' - server.LFS_JWT_SECRET'
unset ENV_TO_INI__SECURITY__INTERNAL_TOKEN unset FORGEJO__SECURITY__INTERNAL_TOKEN
unset ENV_TO_INI__SECURITY__SECRET_KEY unset FORGEJO__SECURITY__SECRET_KEY
unset ENV_TO_INI__OAUTH2__JWT_SECRET unset FORGEJO__OAUTH2__JWT_SECRET
unset ENV_TO_INI__SERVER__LFS_JWT_SECRET unset FORGEJO__SERVER__LFS_JWT_SECRET
fi fi
environment-to-ini -o $GITEA_APP_INI -p ENV_TO_INI environment-to-ini -o $GITEA_APP_INI

101
templates/gitea/statefulset.yaml → templates/gitea/deployment.yaml
View file

@ -1,22 +1,28 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: Deployment
metadata: metadata:
name: {{ include "gitea.fullname" . }} name: {{ include "gitea.fullname" . }}
annotations: annotations:
{{- if .Values.statefulset.annotations }} {{- if .Values.deployment.annotations }}
{{- toYaml .Values.statefulset.annotations | nindent 4 }} {{- toYaml .Values.deployment.annotations | nindent 4 }}
{{- end }} {{- end }}
labels: labels:
{{- include "gitea.labels" . | nindent 4 }} {{- include "gitea.labels" . | nindent 4 }}
spec: spec:
replicas: {{ .Values.replicaCount }} replicas: {{ .Values.replicaCount }}
strategy:
type: {{ .Values.strategy.type }}
{{- if eq .Values.strategy.type "RollingUpdate" }}
rollingUpdate:
maxUnavailable: {{ .Values.strategy.rollingUpdate.maxUnavailable }}
maxSurge: {{ .Values.strategy.rollingUpdate.maxSurge }}
{{- end }}
selector: selector:
matchLabels: matchLabels:
{{- include "gitea.selectorLabels" . | nindent 6 }} {{- include "gitea.selectorLabels" . | nindent 6 }}
{{- if .Values.statefulset.labels }} {{- if .Values.deployment.labels }}
{{- toYaml .Values.statefulset.labels | nindent 6 }} {{- toYaml .Values.deployment.labels | nindent 6 }}
{{- end }} {{- end }}
serviceName: {{ include "gitea.fullname" . }}
template: template:
metadata: metadata:
annotations: annotations:
@ -32,13 +38,19 @@ spec:
{{- end }} {{- end }}
labels: labels:
{{- include "gitea.labels" . | nindent 8 }} {{- include "gitea.labels" . | nindent 8 }}
{{- if .Values.statefulset.labels }} {{- if .Values.deployment.labels }}
{{- toYaml .Values.statefulset.labels | nindent 8 }} {{- toYaml .Values.deployment.labels | nindent 8 }}
{{- end }} {{- end }}
spec: spec:
{{- if .Values.schedulerName }} {{- if .Values.schedulerName }}
schedulerName: "{{ .Values.schedulerName }}" schedulerName: "{{ .Values.schedulerName }}"
{{- end }} {{- end }}
{{- if (or .Values.serviceAccount.create .Values.serviceAccount.name) }}
serviceAccountName: {{ include "gitea.serviceAccountName" . }}
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: "{{ .Values.priorityClassName }}"
{{- end }}
{{- include "gitea.images.pullSecrets" . | nindent 6 }} {{- include "gitea.images.pullSecrets" . | nindent 6 }}
securityContext: securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }} {{- toYaml .Values.podSecurityContext | nindent 8 }}
@ -56,8 +68,8 @@ spec:
value: /data value: /data
- name: GITEA_TEMP - name: GITEA_TEMP
value: /tmp/gitea value: /tmp/gitea
{{- if .Values.statefulset.env }} {{- if .Values.deployment.env }}
{{- toYaml .Values.statefulset.env | nindent 12 }} {{- toYaml .Values.deployment.env | nindent 12 }}
{{- end }} {{- end }}
{{- if .Values.signing.enabled }} {{- if .Values.signing.enabled }}
- name: GNUPGHOME - name: GNUPGHOME
@ -76,6 +88,8 @@ spec:
{{- include "gitea.init-additional-mounts" . | nindent 12 }} {{- include "gitea.init-additional-mounts" . | nindent 12 }}
securityContext: securityContext:
{{- toYaml .Values.containerSecurityContext | nindent 12 }} {{- toYaml .Values.containerSecurityContext | nindent 12 }}
resources:
{{- toYaml .Values.initContainers.resources | nindent 12 }}
- name: init-app-ini - name: init-app-ini
image: "{{ include "gitea.image" . }}" image: "{{ include "gitea.image" . }}"
imagePullPolicy: {{ .Values.image.pullPolicy }} imagePullPolicy: {{ .Values.image.pullPolicy }}
@ -89,8 +103,8 @@ spec:
value: /data value: /data
- name: GITEA_TEMP - name: GITEA_TEMP
value: /tmp/gitea value: /tmp/gitea
{{- if .Values.statefulset.env }} {{- if .Values.deployment.env }}
{{- toYaml .Values.statefulset.env | nindent 12 }} {{- toYaml .Values.deployment.env | nindent 12 }}
{{- end }} {{- end }}
{{- if .Values.gitea.additionalConfigFromEnvs }} {{- if .Values.gitea.additionalConfigFromEnvs }}
{{- toYaml .Values.gitea.additionalConfigFromEnvs | nindent 12 }} {{- toYaml .Values.gitea.additionalConfigFromEnvs | nindent 12 }}
@ -114,6 +128,8 @@ spec:
{{- include "gitea.init-additional-mounts" . | nindent 12 }} {{- include "gitea.init-additional-mounts" . | nindent 12 }}
securityContext: securityContext:
{{- toYaml .Values.containerSecurityContext | nindent 12 }} {{- toYaml .Values.containerSecurityContext | nindent 12 }}
resources:
{{- toYaml .Values.initContainers.resources | nindent 12 }}
{{- if .Values.signing.enabled }} {{- if .Values.signing.enabled }}
- name: configure-gpg - name: configure-gpg
image: "{{ include "gitea.image" . }}" image: "{{ include "gitea.image" . }}"
@ -143,6 +159,8 @@ spec:
{{- if .Values.extraVolumeMounts }} {{- if .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 12 }} {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
{{- end }} {{- end }}
resources:
{{- toYaml .Values.initContainers.resources | nindent 12 }}
{{- end }} {{- end }}
- name: configure-gitea - name: configure-gitea
image: "{{ include "gitea.image" . }}" image: "{{ include "gitea.image" . }}"
@ -164,6 +182,10 @@ spec:
value: /data value: /data
- name: GITEA_TEMP - name: GITEA_TEMP
value: /tmp/gitea value: /tmp/gitea
{{- if .Values.image.rootless }}
- name: HOME
value: /data/gitea/git
{{- end }}
{{- if .Values.gitea.ldap }} {{- if .Values.gitea.ldap }}
{{- range $idx, $value := .Values.gitea.ldap }} {{- range $idx, $value := .Values.gitea.ldap }}
{{- if $value.existingSecret }} {{- if $value.existingSecret }}
@ -218,8 +240,8 @@ spec:
- name: GITEA_ADMIN_PASSWORD - name: GITEA_ADMIN_PASSWORD
value: {{ .Values.gitea.admin.password | quote }} value: {{ .Values.gitea.admin.password | quote }}
{{- end }} {{- end }}
{{- if .Values.statefulset.env }} {{- if .Values.deployment.env }}
{{- toYaml .Values.statefulset.env | nindent 12 }} {{- toYaml .Values.deployment.env | nindent 12 }}
{{- end }} {{- end }}
volumeMounts: volumeMounts:
- name: init - name: init
@ -232,7 +254,9 @@ spec:
subPath: {{ .Values.persistence.subPath }} subPath: {{ .Values.persistence.subPath }}
{{- end }} {{- end }}
{{- include "gitea.init-additional-mounts" . | nindent 12 }} {{- include "gitea.init-additional-mounts" . | nindent 12 }}
terminationGracePeriodSeconds: {{ .Values.statefulset.terminationGracePeriodSeconds }} resources:
{{- toYaml .Values.initContainers.resources | nindent 12 }}
terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }}
containers: containers:
- name: {{ .Chart.Name }} - name: {{ .Chart.Name }}
image: "{{ include "gitea.image" . }}" image: "{{ include "gitea.image" . }}"
@ -243,6 +267,10 @@ spec:
value: {{ .Values.gitea.config.server.SSH_LISTEN_PORT | quote }} value: {{ .Values.gitea.config.server.SSH_LISTEN_PORT | quote }}
- name: SSH_PORT - name: SSH_PORT
value: {{ .Values.gitea.config.server.SSH_PORT | quote }} value: {{ .Values.gitea.config.server.SSH_PORT | quote }}
{{- if not .Values.image.rootless }}
- name: SSH_LOG_LEVEL
value: {{ .Values.gitea.ssh.logLevel | quote }}
{{- end }}
- name: GITEA_APP_INI - name: GITEA_APP_INI
value: /data/gitea/conf/app.ini value: /data/gitea/conf/app.ini
- name: GITEA_CUSTOM - name: GITEA_CUSTOM
@ -253,12 +281,16 @@ spec:
value: /tmp/gitea value: /tmp/gitea
- name: TMPDIR - name: TMPDIR
value: /tmp/gitea value: /tmp/gitea
{{- if .Values.image.rootless }}
- name: HOME
value: /data/gitea/git
{{- end }}
{{- if .Values.signing.enabled }} {{- if .Values.signing.enabled }}
- name: GNUPGHOME - name: GNUPGHOME
value: {{ .Values.signing.gpgHome }} value: {{ .Values.signing.gpgHome }}
{{- end }} {{- end }}
{{- if .Values.statefulset.env }} {{- if .Values.deployment.env }}
{{- toYaml .Values.statefulset.env | nindent 12 }} {{- toYaml .Values.deployment.env | nindent 12 }}
{{- end }} {{- end }}
ports: ports:
- name: ssh - name: ssh
@ -314,6 +346,10 @@ spec:
affinity: affinity:
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}
{{- end }} {{- end }}
{{- with .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }} {{- with .Values.tolerations }}
tolerations: tolerations:
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}
@ -352,38 +388,13 @@ spec:
path: private.asc path: private.asc
defaultMode: 0100 defaultMode: 0100
{{- end }} {{- end }}
{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }} {{- if .Values.persistence.enabled }}
{{- if .Values.persistence.mount }}
- name: data - name: data
persistentVolumeClaim: persistentVolumeClaim:
{{- with .Values.persistence.existingClaim }} claimName: {{ .Values.persistence.claimName }}
claimName: {{ tpl . $ }}
{{- end }} {{- end }}
{{- else if not .Values.persistence.enabled }} {{- else if not .Values.persistence.enabled }}
- name: data - name: data
emptyDir: {} emptyDir: {}
{{- else if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
volumeClaimTemplates:
- metadata:
name: data
{{- with .Values.persistence.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value }}
{{- end }}
{{- end }}
{{- with .Values.persistence.labels }}
labels:
{{- range $key, $value := . }}
{{ $key }}: {{ $value }}
{{- end }}
{{- end }}
spec:
accessModes:
{{- range .Values.persistence.accessModes }}
- {{ . | quote }}
{{- end }}
{{- include "gitea.persistence.storageClass" . | indent 8 }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- end }} {{- end }}

8
templates/gitea/extra-list.yaml Normal file
View file

@ -0,0 +1,8 @@
{{- range .Values.extraDeploy }}
---
{{- if typeIs "string" . }}
{{- tpl . $ }}
{{- else }}
{{- tpl (. | toYaml) $ }}
{{- end }}
{{- end }}

2
templates/gitea/gpg-secret.yaml
View file

@ -1,6 +1,6 @@
{{- if .Values.signing.enabled -}} {{- if .Values.signing.enabled -}}
{{- if and (empty .Values.signing.privateKey) (empty .Values.signing.existingSecret) -}} {{- if and (empty .Values.signing.privateKey) (empty .Values.signing.existingSecret) -}}
{{- fail "Either specify `signing.privateKey` or `signing.existingKey`" -}} {{- fail "Either specify `signing.privateKey` or `signing.existingSecret`" -}}
{{- end }} {{- end }}
{{- if and (not (empty .Values.signing.privateKey)) (empty .Values.signing.existingSecret) -}} {{- if and (not (empty .Values.signing.privateKey)) (empty .Values.signing.existingSecret) -}}
apiVersion: v1 apiVersion: v1

8
templates/gitea/ingress.yaml
View file

@ -15,9 +15,9 @@ metadata:
name: {{ $fullName }} name: {{ $fullName }}
labels: labels:
{{- include "gitea.labels" . | nindent 4 }} {{- include "gitea.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations: annotations:
{{- toYaml . | nindent 4 }} {{- range $key, $value := .Values.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }} {{- end }}
spec: spec:
{{- if .Values.ingress.className }} {{- if .Values.ingress.className }}
@ -28,14 +28,14 @@ spec:
{{- range .Values.ingress.tls }} {{- range .Values.ingress.tls }}
- hosts: - hosts:
{{- range .hosts }} {{- range .hosts }}
- {{ . | quote }} - {{ tpl . $ | quote }}
{{- end }} {{- end }}
secretName: {{ .secretName }} secretName: {{ .secretName }}
{{- end }} {{- end }}
{{- end }} {{- end }}
rules: rules:
{{- range .Values.ingress.hosts }} {{- range .Values.ingress.hosts }}
- host: {{ .host | quote }} - host: {{ tpl .host $ | quote }}
http: http:
paths: paths:
{{- range .paths }} {{- range .paths }}

23
templates/gitea/init.yaml
View file

@ -58,10 +58,31 @@ stringData:
{ # try { # try
gitea migrate gitea migrate
} || { # catch } || { # catch
echo "Gitea migrate might fail due to database connection...This init-container will try again in a few seconds" echo "Forgejo migrate might fail due to database connection...This init-container will try again in a few seconds"
exit 1 exit 1
} }
{{- if include "redis.servicename" . }}
function test_redis_connection() {
local RETRY=0
local MAX=30
echo 'Wait for redis to become avialable...'
until [ "${RETRY}" -ge "${MAX}" ]; do
nc -vz -w2 {{ include "redis.servicename" . }} {{ include "redis.port" . }} && break
RETRY=$[${RETRY}+1]
echo "...not ready yet (${RETRY}/${MAX})"
done
if [ "${RETRY}" -ge "${MAX}" ]; then
echo "Redis not reachable after '${MAX}' attempts!"
exit 1
fi
}
test_redis_connection
{{- end }}
{{- if or .Values.gitea.admin.existingSecret (and .Values.gitea.admin.username .Values.gitea.admin.password) }} {{- if or .Values.gitea.admin.existingSecret (and .Values.gitea.admin.username .Values.gitea.admin.password) }}
function configure_admin_user() { function configure_admin_user() {

17
templates/gitea/poddisruptionbudget.yaml Normal file
View file

@ -0,0 +1,17 @@
{{- if .Values.podDisruptionBudget -}}
{{- if .Capabilities.APIVersions.Has "policy/v1" }}
apiVersion: policy/v1
{{- else }}
apiVersion: policy/v1beta1
{{- end }}
kind: PodDisruptionBudget
metadata:
name: {{ include "gitea.fullname" . }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
spec:
selector:
matchLabels:
{{- include "gitea.selectorLabels" . | nindent 6 }}
{{- toYaml .Values.podDisruptionBudget | nindent 2 }}
{{- end -}}

26
templates/gitea/pvc.yaml Normal file
View file

@ -0,0 +1,26 @@
{{- if and .Values.persistence.enabled .Values.persistence.create }}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ .Values.persistence.claimName }}
namespace: {{ $.Release.Namespace }}
annotations:
{{ .Values.persistence.annotations | toYaml | indent 4}}
spec:
accessModes:
{{- if gt .Values.replicaCount 1.0 }}
- ReadWriteMany
{{- else }}
{{- .Values.persistence.accessModes | toYaml | nindent 4 }}
{{- end }}
volumeMode: Filesystem
{{- if .Values.persistence.storageClass }}
storageClassName: {{ .Values.persistence.storageClass }}
{{- end }}
{{- with .Values.persistence.volumeName }}
volumeName: {{ . }}
{{- end }}
resources:
requests:
storage: {{ .Values.persistence.size }}
{{- end }}

21
templates/gitea/serviceaccount.yaml Normal file
View file

@ -0,0 +1,21 @@
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "gitea.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.labels }}
{{- . | toYaml | nindent 4 }}
{{- end }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- . | toYaml | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- with .Values.serviceAccount.imagePullSecrets }}
imagePullSecrets:
{{- . | toYaml | nindent 2 }}
{{- end }}
{{- end }}

2
templates/gitea/ssh-svc.yaml
View file

@ -39,7 +39,9 @@ spec:
ports: ports:
- name: ssh - name: ssh
port: {{ .Values.service.ssh.port }} port: {{ .Values.service.ssh.port }}
{{- if .Values.gitea.config.server.SSH_LISTEN_PORT }}
targetPort: {{ .Values.gitea.config.server.SSH_LISTEN_PORT }} targetPort: {{ .Values.gitea.config.server.SSH_LISTEN_PORT }}
{{- end }}
protocol: TCP protocol: TCP
{{- if .Values.service.ssh.nodePort }} {{- if .Values.service.ssh.nodePort }}
nodePort: {{ .Values.service.ssh.nodePort }} nodePort: {{ .Values.service.ssh.nodePort }}

4
templates/tests/test-http-connection.yaml
View file

@ -1,3 +1,4 @@
{{- if .Values.test.enabled }}
apiVersion: v1 apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
@ -9,7 +10,8 @@ metadata:
spec: spec:
containers: containers:
- name: wget - name: wget
image: busybox image: "{{ .Values.test.image.name }}:{{ .Values.test.image.tag }}"
command: ['wget'] command: ['wget']
args: ['{{ include "gitea.fullname" . }}-http:{{ .Values.service.http.port }}'] args: ['{{ include "gitea.fullname" . }}-http:{{ .Values.service.http.port }}']
restartPolicy: Never restartPolicy: Never
{{- end }}

30
unittests/config/database-section_postgresql-ha.yaml Normal file
View file

@ -0,0 +1,30 @@
suite: config template | database section (postgresql-ha)
release:
name: gitea-unittests
namespace: testing
tests:
- it: connects to pgpool service
template: templates/gitea/config.yaml
set:
postgresql:
enabled: false
postgresql-ha:
enabled: true
asserts:
- documentIndex: 0
matchRegex:
path: stringData.database
pattern: HOST=gitea-unittests-postgresql-ha-pgpool.testing.svc.cluster.local:5432
- it: renders the referenced service
template: charts/postgresql-ha/templates/pgpool/service.yaml
set:
postgresql:
enabled: false
postgresql-ha:
enabled: true
asserts:
- containsDocument:
kind: Service
apiVersion: v1
name: gitea-unittests-postgresql-ha-pgpool
namespace: testing

30
unittests/config/database-section_postgresql.yaml Normal file
View file

@ -0,0 +1,30 @@
suite: config template | database section (postgresql)
release:
name: gitea-unittests
namespace: testing
tests:
- it: "connects to postgresql service"
template: templates/gitea/config.yaml
set:
postgresql:
enabled: true
postgresql-ha:
enabled: false
asserts:
- documentIndex: 0
matchRegex:
path: stringData.database
pattern: HOST=gitea-unittests-postgresql.testing.svc.cluster.local:5432
- it: "renders the referenced service"
template: charts/postgresql/templates/primary/svc.yaml
set:
postgresql:
enabled: true
postgresql-ha:
enabled: false
asserts:
- containsDocument:
kind: Service
apiVersion: v1
name: gitea-unittests-postgresql
namespace: testing

67
unittests/config/server-section_domain.yaml Normal file
View file

@ -0,0 +1,67 @@
suite: config template | server section (domain related)
release:
name: gitea-unittests
namespace: testing
tests:
- it: "[default values] uses ingress host for DOMAIN|SSH_DOMAIN|ROOT_URL"
template: templates/gitea/config.yaml
asserts:
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: \nDOMAIN=git.example.com
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: \nSSH_DOMAIN=git.example.com
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: \nROOT_URL=http://git.example.com
################################################
- it: "[no ingress hosts] uses gitea http service for DOMAIN|SSH_DOMAIN|ROOT_URL"
template: templates/gitea/config.yaml
set:
ingress:
hosts: []
asserts:
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: \nDOMAIN=gitea-unittests-forgejo-http.testing.svc.cluster.local
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: \nSSH_DOMAIN=gitea-unittests-forgejo-http.testing.svc.cluster.local
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: \nROOT_URL=http://gitea-unittests-forgejo-http.testing.svc.cluster.local
################################################
- it: "[provided via values] uses that for DOMAIN|SSH_DOMAIN|ROOT_URL"
template: templates/gitea/config.yaml
set:
gitea.config.server.DOMAIN: provided.example.com
ingress:
hosts:
- host: non-used.example.com
paths:
- path: /
pathType: Prefix
asserts:
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: \nDOMAIN=provided.example.com
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: \nSSH_DOMAIN=provided.example.com
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: \nROOT_URL=http://provided.example.com

42
unittests/dependency-major-image-check.yaml Normal file
View file

@ -0,0 +1,42 @@
suite: Dependency update consistency
release:
name: gitea-unittests
namespace: testing
tests:
- it: "[postgresql-ha] ensures we detect major image version upgrades"
template: charts/postgresql-ha/templates/postgresql/statefulset.yaml
set:
postgresql:
enabled: false
postgresql-ha:
enabled: true
asserts:
- documentIndex: 0
matchRegex:
path: spec.template.spec.containers[0].image
# IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
pattern: ^docker.io/bitnami/postgresql-repmgr:16.+$
- it: "[postgresql] ensures we detect major image version upgrades"
template: charts/postgresql/templates/primary/statefulset.yaml
set:
postgresql:
enabled: true
postgresql-ha:
enabled: false
asserts:
- documentIndex: 0
matchRegex:
path: spec.template.spec.containers[0].image
# IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
pattern: ^docker.io/bitnami/postgresql:16.+$
- it: "[redis-cluster] ensures we detect major image version upgrades"
template: charts/redis-cluster/templates/redis-statefulset.yaml
set:
redis-cluster:
enabled: true
asserts:
- documentIndex: 0
matchRegex:
path: spec.template.spec.containers[0].image
# IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
pattern: ^docker.io/bitnami/redis-cluster:7.+$

10
unittests/statefulset/basic.yaml → unittests/deployment/basic.yaml
View file

@ -1,17 +1,17 @@
suite: Statefulset template (basic) suite: deployment template (basic)
release: release:
name: forgejo-unittests name: forgejo-unittests
namespace: testing namespace: testing
templates: templates:
- templates/gitea/statefulset.yaml - templates/gitea/deployment.yaml
- templates/gitea/config.yaml - templates/gitea/config.yaml
tests: tests:
- it: renders a statefulset - it: renders a deployment
template: templates/gitea/statefulset.yaml template: templates/gitea/deployment.yaml
asserts: asserts:
- hasDocuments: - hasDocuments:
count: 1 count: 1
- containsDocument: - containsDocument:
kind: StatefulSet kind: Deployment
apiVersion: apps/v1 apiVersion: apps/v1
name: forgejo-unittests name: forgejo-unittests

93
unittests/deployment/image-configuration.yaml Normal file
View file

@ -0,0 +1,93 @@
suite: deployment template (image configuration)
release:
name: gitea-unittests
namespace: testing
chart:
# Override appVersion to be consistent with used digest :)
appVersion: 1.19.3
templates:
- templates/gitea/deployment.yaml
- templates/gitea/config.yaml
tests:
- it: default values
template: templates/gitea/deployment.yaml
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: "codeberg.org/forgejo/forgejo:1.19.3-rootless"
- it: tag override
template: templates/gitea/deployment.yaml
set:
image.tag: "1.19.4"
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: "codeberg.org/forgejo/forgejo:1.19.4-rootless"
- it: root-based image
template: templates/gitea/deployment.yaml
set:
image.rootless: false
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: "codeberg.org/forgejo/forgejo:1.19.3"
- it: scoped registry
template: templates/gitea/deployment.yaml
set:
image.registry: "example.com"
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: "example.com/forgejo/forgejo:1.19.3-rootless"
- it: global registry
template: templates/gitea/deployment.yaml
set:
global.imageRegistry: "global.example.com"
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: "global.example.com/forgejo/forgejo:1.19.3-rootless"
- it: digest for rootless image
template: templates/gitea/deployment.yaml
set:
image:
rootless: true
digest: sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: "codeberg.org/forgejo/forgejo:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
- it: image fullOverride (does not append rootless)
template: templates/gitea/deployment.yaml
set:
image:
fullOverride: gitea/gitea:1.19.3
# setting rootless, registry, repository, tag, and digest to prove that override works
rootless: true
registry: example.com
repository: example/image
tag: "1.0.0"
digest: sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: "gitea/gitea:1.19.3"
- it: digest for root-based image
template: templates/gitea/deployment.yaml
set:
image:
rootless: false
digest: sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: "codeberg.org/forgejo/forgejo:1.19.3@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
- it: digest and global registry
template: templates/gitea/deployment.yaml
set:
global.imageRegistry: "global.example.com"
image.digest: "sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: "global.example.com/forgejo/forgejo:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a"

23
unittests/deployment/ingress-configuration.yaml Normal file
View file

@ -0,0 +1,23 @@
suite: ingress template
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/ingress.yaml
tests:
- it: hostname using TPL
set:
global.giteaHostName: "gitea.example.com"
ingress.enabled: true
ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}"
ingress.tls:
- secretName: gitea-tls
hosts:
- "{{ .Values.global.giteaHostName }}"
asserts:
- equal:
path: spec.tls[0].hosts[0]
value: "gitea.example.com"
- equal:
path: spec.rules[0].host
value: "gitea.example.com"

33
unittests/deployment/inline-config.yaml Normal file
View file

@ -0,0 +1,33 @@
suite: config template
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/config.yaml
tests:
- it: inline config stringData.server using TPL
set:
global.giteaHostName: "gitea.example.com"
ingress.enabled: true
ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}"
ingress.tls:
- secretName: gitea-tls
hosts:
- "{{ .Values.global.giteaHostName }}"
asserts:
- documentIndex: 0
matchRegex:
path: metadata.name
pattern: .*-inline-config$
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: DOMAIN=gitea\.example\.com
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: ROOT_URL=https://gitea\.example\.com
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: SSH_DOMAIN=gitea\.example\.com

16
unittests/statefulset/signing-disabled.yaml → unittests/deployment/signing-disabled.yaml
View file

@ -1,13 +1,13 @@
suite: Statefulset template (signing disabled) suite: deployment template (signing disabled)
release: release:
name: forgejo-unittests name: forgejo-unittests
namespace: testing namespace: testing
templates: templates:
- templates/gitea/statefulset.yaml - templates/gitea/deployment.yaml
- templates/gitea/config.yaml - templates/gitea/config.yaml
tests: tests:
- it: skips gpg init container - it: skips gpg init container
template: templates/gitea/statefulset.yaml template: templates/gitea/deployment.yaml
asserts: asserts:
- notContains: - notContains:
path: spec.template.spec.initContainers path: spec.template.spec.initContainers
@ -15,24 +15,24 @@ tests:
content: content:
name: configure-gpg name: configure-gpg
- it: skips gpg env in `init-directories` init container - it: skips gpg env in `init-directories` init container
template: templates/gitea/statefulset.yaml template: templates/gitea/deployment.yaml
set: set:
signing.enabled: true signing.enabled: false
asserts: asserts:
- contains: - notContains:
path: spec.template.spec.initContainers[0].env path: spec.template.spec.initContainers[0].env
content: content:
name: GNUPGHOME name: GNUPGHOME
value: /data/git/.gnupg value: /data/git/.gnupg
- it: skips gpg env in runtime container - it: skips gpg env in runtime container
template: templates/gitea/statefulset.yaml template: templates/gitea/deployment.yaml
asserts: asserts:
- notContains: - notContains:
path: spec.template.spec.containers[0].env path: spec.template.spec.containers[0].env
content: content:
name: GNUPGHOME name: GNUPGHOME
- it: skips gpg volume spec - it: skips gpg volume spec
template: templates/gitea/statefulset.yaml template: templates/gitea/deployment.yaml
asserts: asserts:
- notContains: - notContains:
path: spec.template.spec.volumes path: spec.template.spec.volumes

17
unittests/statefulset/signing-enabled.yaml → unittests/deployment/signing-enabled.yaml
View file

@ -1,13 +1,13 @@
suite: Statefulset template (signing enabled) suite: deployment template (signing enabled)
release: release:
name: forgejo-unittests name: forgejo-unittests
namespace: testing namespace: testing
templates: templates:
- templates/gitea/statefulset.yaml - templates/gitea/deployment.yaml
- templates/gitea/config.yaml - templates/gitea/config.yaml
tests: tests:
- it: adds gpg init container - it: adds gpg init container
template: templates/gitea/statefulset.yaml template: templates/gitea/deployment.yaml
set: set:
signing: signing:
enabled: true enabled: true
@ -39,9 +39,10 @@ tests:
mountPath: /raw mountPath: /raw
readOnly: true readOnly: true
- it: adds gpg env in `init-directories` init container - it: adds gpg env in `init-directories` init container
template: templates/gitea/statefulset.yaml template: templates/gitea/deployment.yaml
set: set:
signing.enabled: true signing.enabled: true
signing.existingSecret: "custom-gpg-secret"
asserts: asserts:
- contains: - contains:
path: spec.template.spec.initContainers[0].env path: spec.template.spec.initContainers[0].env
@ -49,9 +50,10 @@ tests:
name: GNUPGHOME name: GNUPGHOME
value: /data/git/.gnupg value: /data/git/.gnupg
- it: adds gpg env in runtime container - it: adds gpg env in runtime container
template: templates/gitea/statefulset.yaml template: templates/gitea/deployment.yaml
set: set:
signing.enabled: true signing.enabled: true
signing.existingSecret: "custom-gpg-secret"
asserts: asserts:
- contains: - contains:
path: spec.template.spec.containers[0].env path: spec.template.spec.containers[0].env
@ -59,10 +61,11 @@ tests:
name: GNUPGHOME name: GNUPGHOME
value: /data/git/.gnupg value: /data/git/.gnupg
- it: adds gpg volume spec - it: adds gpg volume spec
template: templates/gitea/statefulset.yaml template: templates/gitea/deployment.yaml
set: set:
signing: signing:
enabled: true enabled: true
existingSecret: "forgejo-unittests-gpg-key"
asserts: asserts:
- contains: - contains:
path: spec.template.spec.volumes path: spec.template.spec.volumes
@ -75,7 +78,7 @@ tests:
path: private.asc path: private.asc
defaultMode: 0100 defaultMode: 0100
- it: supports gpg volume spec with external reference - it: supports gpg volume spec with external reference
template: templates/gitea/statefulset.yaml template: templates/gitea/deployment.yaml
set: set:
signing: signing:
enabled: true enabled: true

64
unittests/deployment/ssh-configuration.yaml Normal file
View file

@ -0,0 +1,64 @@
suite: deployment template (SSH configuration)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/deployment.yaml
- templates/gitea/config.yaml
tests:
- it: supports defining SSH log level for root based image
template: templates/gitea/deployment.yaml
set:
image.rootless: false
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: SSH_LOG_LEVEL
value: "INFO"
- it: supports overriding SSH log level
template: templates/gitea/deployment.yaml
set:
image.rootless: false
gitea.ssh.logLevel: "DEBUG"
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: SSH_LOG_LEVEL
value: "DEBUG"
- it: supports overriding SSH log level (even when image.fullOverride set)
template: templates/gitea/deployment.yaml
set:
image.fullOverride: gitea/gitea:1.19.3
image.rootless: false
gitea.ssh.logLevel: "DEBUG"
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: SSH_LOG_LEVEL
value: "DEBUG"
- it: skips SSH_LOG_LEVEL for rootless image
template: templates/gitea/deployment.yaml
set:
image.rootless: true
gitea.ssh.logLevel: "DEBUG" # explicitly defining a non-standard level here
asserts:
- notContains:
path: spec.template.spec.containers[0].env
any: true
content:
name: SSH_LOG_LEVEL
- it: skips SSH_LOG_LEVEL for rootless image (even when image.fullOverride set)
template: templates/gitea/deployment.yaml
set:
image.fullOverride: gitea/gitea:1.19.3
image.rootless: true
gitea.ssh.logLevel: "DEBUG" # explicitly defining a non-standard level here
asserts:
- notContains:
path: spec.template.spec.containers[0].env
any: true
content:
name: SSH_LOG_LEVEL

4
unittests/gpg-secret/signing-enabled.yaml
View file

@ -11,7 +11,7 @@ tests:
enabled: true enabled: true
asserts: asserts:
- failedTemplate: - failedTemplate:
errorMessage: Either specify `signing.privateKey` or `signing.existingKey` errorMessage: Either specify `signing.privateKey` or `signing.existingSecret`
- it: skips rendering using external secret reference - it: skips rendering using external secret reference
set: set:
signing: signing:
@ -33,7 +33,7 @@ tests:
kind: Secret kind: Secret
apiVersion: v1 apiVersion: v1
name: forgejo-unittests-gpg-key name: forgejo-unittests-gpg-key
- isNotEmpty: - isNotNullOrEmpty:
path: metadata.labels path: metadata.labels
- equal: - equal:
path: data.privateKey path: data.privateKey

88
unittests/init/init_directory_structure.sh-rootless.yaml Normal file
View file

@ -0,0 +1,88 @@
suite: Init template
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/init.yaml
tests:
- it: runs gpg in batch mode
set:
signing.enabled: true
signing.privateKey: |-
-----BEGIN PGP PRIVATE KEY BLOCK-----
{placeholder}
-----END PGP PRIVATE KEY BLOCK-----
asserts:
- equal:
path: stringData["configure_gpg_environment.sh"]
value: |-
#!/usr/bin/env bash
set -eu
gpg --batch --import /raw/private.asc
- it: skips gpg script block for disabled signing
asserts:
- equal:
path: stringData["init_directory_structure.sh"]
value: |-
#!/usr/bin/env bash
set -euo pipefail
set -x
mkdir -p /data/git/.ssh
chmod -R 700 /data/git/.ssh
[ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
# prepare temp directory structure
mkdir -p "${GITEA_TEMP}"
chmod ug+rwx "${GITEA_TEMP}"
- it: adds gpg script block for enabled signing
set:
signing.enabled: true
signing.privateKey: |-
-----BEGIN PGP PRIVATE KEY BLOCK-----
{placeholder}
-----END PGP PRIVATE KEY BLOCK-----
asserts:
- equal:
path: stringData["init_directory_structure.sh"]
value: |-
#!/usr/bin/env bash
set -euo pipefail
set -x
mkdir -p /data/git/.ssh
chmod -R 700 /data/git/.ssh
[ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
# prepare temp directory structure
mkdir -p "${GITEA_TEMP}"
chmod ug+rwx "${GITEA_TEMP}"
if [ ! -d "${GNUPGHOME}" ]; then
mkdir -p "${GNUPGHOME}"
chmod 700 "${GNUPGHOME}"
chown 1000:1000 "${GNUPGHOME}"
fi
- it: it does not chown /data even when image.fullOverride is set
template: templates/gitea/init.yaml
set:
image.fullOverride: gitea/gitea:1.20.5
asserts:
- equal:
path: stringData["init_directory_structure.sh"]
value: |-
#!/usr/bin/env bash
set -euo pipefail
set -x
mkdir -p /data/git/.ssh
chmod -R 700 /data/git/.ssh
[ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
# prepare temp directory structure
mkdir -p "${GITEA_TEMP}"
chmod ug+rwx "${GITEA_TEMP}"

12
unittests/init/init_directory_structure.sh.yaml
View file

@ -7,7 +7,12 @@ templates:
tests: tests:
- it: runs gpg in batch mode - it: runs gpg in batch mode
set: set:
image.rootless: false
signing.enabled: true signing.enabled: true
signing.privateKey: |-
-----BEGIN PGP PRIVATE KEY BLOCK-----
{placeholder}
-----END PGP PRIVATE KEY BLOCK-----
asserts: asserts:
- equal: - equal:
path: stringData["configure_gpg_environment.sh"] path: stringData["configure_gpg_environment.sh"]
@ -17,6 +22,8 @@ tests:
gpg --batch --import /raw/private.asc gpg --batch --import /raw/private.asc
- it: skips gpg script block for disabled signing - it: skips gpg script block for disabled signing
set:
image.rootless: false
asserts: asserts:
- equal: - equal:
path: stringData["init_directory_structure.sh"] path: stringData["init_directory_structure.sh"]
@ -37,7 +44,12 @@ tests:
chmod ug+rwx "${GITEA_TEMP}" chmod ug+rwx "${GITEA_TEMP}"
- it: adds gpg script block for enabled signing - it: adds gpg script block for enabled signing
set: set:
image.rootless: false
signing.enabled: true signing.enabled: true
signing.privateKey: |-
-----BEGIN PGP PRIVATE KEY BLOCK-----
{placeholder}
-----END PGP PRIVATE KEY BLOCK-----
asserts: asserts:
- equal: - equal:
path: stringData["init_directory_structure.sh"] path: stringData["init_directory_structure.sh"]

82
unittests/serviceaccount/basic.yaml Normal file
View file

@ -0,0 +1,82 @@
suite: ServiceAccount template (basic)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/serviceaccount.yaml
tests:
- it: skips rendering by default
asserts:
- hasDocuments:
count: 0
- it: renders default ServiceAccount object with serviceAccount.create=true
set:
serviceAccount.create: true
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: ServiceAccount
apiVersion: v1
name: gitea-unittests-forgejo
- equal:
path: automountServiceAccountToken
value: false
- notExists:
path: imagePullSecrets
- notExists:
path: metadata.annotations
- it: allows for adding custom labels
set:
serviceAccount:
create: true
labels:
custom: label
asserts:
- equal:
path: metadata.labels.custom
value: label
- it: allows for adding custom annotations
set:
serviceAccount:
create: true
annotations:
myCustom: annotation
asserts:
- equal:
path: metadata.annotations.myCustom
value: annotation
- it: allows to override the generated name
set:
serviceAccount:
create: true
name: provided-serviceaccount-name
asserts:
- equal:
path: metadata.name
value: provided-serviceaccount-name
- it: allows to mount the token
set:
serviceAccount:
create: true
automountServiceAccountToken: true
asserts:
- equal:
path: automountServiceAccountToken
value: true
- it: allows to reference image pull secrets
set:
serviceAccount:
create: true
imagePullSecrets:
- name: testing-image-pull-secret
- name: another-pull-secret
asserts:
- contains:
path: imagePullSecrets
content:
name: testing-image-pull-secret
- contains:
path: imagePullSecrets
content:
name: another-pull-secret

32
unittests/serviceaccount/reference.yaml Normal file
View file

@ -0,0 +1,32 @@
suite: ServiceAccount template (reference)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/serviceaccount.yaml
- templates/gitea/deployment.yaml
- templates/gitea/config.yaml
tests:
- it: does not modify the deployment by default
template: templates/gitea/deployment.yaml
asserts:
- notExists:
path: spec.serviceAccountName
- it: adds the reference to the deployment with serviceAccount.create=true
template: templates/gitea/deployment.yaml
set:
serviceAccount.create: true
asserts:
- equal:
path: spec.template.spec.serviceAccountName
value: gitea-unittests-forgejo
- it: allows referencing an externally created ServiceAccount to the deployment
template: templates/gitea/deployment.yaml
set:
serviceAccount:
create: false # explicitly set to define rendering behavior
name: "externally-existing-serviceaccount"
asserts:
- equal:
path: spec.template.spec.serviceAccountName
value: externally-existing-serviceaccount

267
values.yaml
View file

@ -20,9 +20,19 @@ global:
# hostnames: # hostnames:
# - example.com # - example.com
## @param replicaCount number of replicas for the statefulset ## @param replicaCount number of replicas for the deployment
replicaCount: 1 replicaCount: 1
## @section strategy
## @param strategy.type strategy type
## @param strategy.rollingUpdate.maxSurge maxSurge
## @param strategy.rollingUpdate.maxUnavailable maxUnavailable
strategy:
type: "RollingUpdate"
rollingUpdate:
maxSurge: "100%"
maxUnavailable: 0
## @param clusterDomain cluster domain ## @param clusterDomain cluster domain
clusterDomain: cluster.local clusterDomain: cluster.local
@ -30,15 +40,19 @@ clusterDomain: cluster.local
## @param image.registry image registry, e.g. gcr.io,docker.io ## @param image.registry image registry, e.g. gcr.io,docker.io
## @param image.repository Image to start for this pod ## @param image.repository Image to start for this pod
## @param image.tag Visit: [Image tag](https://codeberg.org/forgejo/-/packages/container/forgejo/versions). Defaults to `appVersion` within Chart.yaml. ## @param image.tag Visit: [Image tag](https://codeberg.org/forgejo/-/packages/container/forgejo/versions). Defaults to `appVersion` within Chart.yaml.
## @param image.digest Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`
## @param image.pullPolicy Image pull policy ## @param image.pullPolicy Image pull policy
## @param image.rootless Wether or not to pull the rootless version of Forgejo, only works on Forgejo 1.14.x or higher ## @param image.rootless Wether or not to pull the rootless version of Forgejo
## @param image.fullOverride Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).**
image: image:
registry: "codeberg.org" registry: codeberg.org
repository: forgejo/forgejo repository: forgejo/forgejo
# Overrides the image tag whose default is the chart appVersion. # Overrides the image tag whose default is the chart appVersion.
tag: "" tag: ""
pullPolicy: Always digest: ""
rootless: false # only possible when running 1.14 or later pullPolicy: IfNotPresent
rootless: true
fullOverride: ""
## @param imagePullSecrets Secret to use for pulling the image ## @param imagePullSecrets Secret to use for pulling the image
imagePullSecrets: [] imagePullSecrets: []
@ -74,11 +88,16 @@ containerSecurityContext: {}
## @param securityContext Run init and Forgejo containers as a specific securityContext ## @param securityContext Run init and Forgejo containers as a specific securityContext
securityContext: {} securityContext: {}
## @param podDisruptionBudget Pod disruption budget
podDisruptionBudget: {}
# maxUnavailable: 1
# minAvailable: 1
## @section Service ## @section Service
service: service:
## @param service.http.type Kubernetes service type for web traffic ## @param service.http.type Kubernetes service type for web traffic
## @param service.http.port Port number for web traffic ## @param service.http.port Port number for web traffic
## @param service.http.clusterIP ClusterIP setting for http autosetup for statefulset is None ## @param service.http.clusterIP ClusterIP setting for http autosetup for deployment is None
## @param service.http.loadBalancerIP LoadBalancer IP setting ## @param service.http.loadBalancerIP LoadBalancer IP setting
## @param service.http.nodePort NodePort for http service ## @param service.http.nodePort NodePort for http service
## @param service.http.externalTrafficPolicy If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation ## @param service.http.externalTrafficPolicy If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation
@ -101,7 +120,7 @@ service:
annotations: {} annotations: {}
## @param service.ssh.type Kubernetes service type for ssh traffic ## @param service.ssh.type Kubernetes service type for ssh traffic
## @param service.ssh.port Port number for ssh traffic ## @param service.ssh.port Port number for ssh traffic
## @param service.ssh.clusterIP ClusterIP setting for ssh autosetup for statefulset is None ## @param service.ssh.clusterIP ClusterIP setting for ssh autosetup for deployment is None
## @param service.ssh.loadBalancerIP LoadBalancer IP setting ## @param service.ssh.loadBalancerIP LoadBalancer IP setting
## @param service.ssh.nodePort NodePort for ssh service ## @param service.ssh.nodePort NodePort for ssh service
## @param service.ssh.externalTrafficPolicy If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation ## @param service.ssh.externalTrafficPolicy If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation
@ -125,7 +144,6 @@ service:
loadBalancerSourceRanges: [] loadBalancerSourceRanges: []
annotations: {} annotations: {}
## @section Ingress ## @section Ingress
## @param ingress.enabled Enable ingress ## @param ingress.enabled Enable ingress
## @param ingress.className Ingress class name ## @param ingress.className Ingress class name
@ -139,7 +157,8 @@ ingress:
enabled: false enabled: false
# className: nginx # className: nginx
className: className:
annotations: {} annotations:
{}
# kubernetes.io/ingress.class: nginx # kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true" # kubernetes.io/tls-acme: "true"
hosts: hosts:
@ -155,10 +174,11 @@ ingress:
# If helm doesn't correctly detect your ingress API version you can set it here. # If helm doesn't correctly detect your ingress API version you can set it here.
# apiVersion: networking.k8s.io/v1 # apiVersion: networking.k8s.io/v1
## @section StatefulSet ## @section deployment
# #
## @param resources Kubernetes resources ## @param resources Kubernetes resources
resources: {} resources:
{}
# We usually recommend not to specify default resources and to leave this as a conscious # We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little # choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following # resources, such as Minikube. If you do want to specify resources, uncomment the following
@ -176,52 +196,83 @@ resources: {}
## @param schedulerName Use an alternate scheduler, e.g. "stork" ## @param schedulerName Use an alternate scheduler, e.g. "stork"
schedulerName: "" schedulerName: ""
## @param nodeSelector NodeSelector for the statefulset ## @param nodeSelector NodeSelector for the deployment
nodeSelector: {} nodeSelector: {}
## @param tolerations Tolerations for the statefulset ## @param tolerations Tolerations for the deployment
tolerations: [] tolerations: []
## @param affinity Affinity for the statefulset ## @param affinity Affinity for the deployment
affinity: {} affinity: {}
## @param dnsConfig dnsConfig for the statefulset ## @param topologySpreadConstraints TopologySpreadConstraints for the deployment
topologySpreadConstraints: []
## @param dnsConfig dnsConfig for the deployment
dnsConfig: {} dnsConfig: {}
## @param statefulset.env Additional environment variables to pass to containers ## @param priorityClassName priorityClassName for the deployment
## @param statefulset.terminationGracePeriodSeconds How long to wait until forcefully kill the pod priorityClassName: ""
## @param statefulset.labels Labels for the statefulset
## @param statefulset.annotations Annotations for the Forgejo StatefulSet to be created ## @param deployment.env Additional environment variables to pass to containers
statefulset: ## @param deployment.terminationGracePeriodSeconds How long to wait until forcefully kill the pod
env: [] ## @param deployment.labels Labels for the deployment
## @param deployment.annotations Annotations for the Forgejo deployment to be created
deployment:
env:
[]
# - name: VARIABLE # - name: VARIABLE
# value: my-value # value: my-value
terminationGracePeriodSeconds: 60 terminationGracePeriodSeconds: 60
labels: {} labels: {}
annotations: {} annotations: {}
## @section ServiceAccount
## @param serviceAccount.create Enable the creation of a ServiceAccount
## @param serviceAccount.name Name of the created ServiceAccount, defaults to release name. Can also link to an externally provided ServiceAccount that should be used.
## @param serviceAccount.automountServiceAccountToken Enable/disable auto mounting of the service account token
## @param serviceAccount.imagePullSecrets Image pull secrets, available to the ServiceAccount
## @param serviceAccount.annotations Custom annotations for the ServiceAccount
## @param serviceAccount.labels Custom labels for the ServiceAccount
serviceAccount:
create: false
name: ""
automountServiceAccountToken: false
imagePullSecrets: []
# - name: private-registry-access
annotations: {}
labels: {}
## @section Persistence ## @section Persistence
# #
## @param persistence.enabled Enable persistent storage ## @param persistence.enabled Enable persistent storage
## @param persistence.existingClaim Use an existing claim to store repository information ## @param persistence.create Whether to create the persistentVolumeClaim for shared storage
## @param persistence.mount Whether the persistentVolumeClaim should be mounted (even if not created)
## @param persistence.claimName Use an existing claim to store repository information
## @param persistence.size Size for persistence to store repo information ## @param persistence.size Size for persistence to store repo information
## @param persistence.accessModes AccessMode for persistence ## @param persistence.accessModes AccessMode for persistence
## @param persistence.labels Labels for the persistence volume claim to be created ## @param persistence.labels Labels for the persistence volume claim to be created
## @param persistence.annotations Annotations for the persistence volume claim to be created ## @param persistence.annotations.helm.sh/resource-policy Resource policy for the persistence volume claim
## @param persistence.storageClass Name of the storage class to use ## @param persistence.storageClass Name of the storage class to use
## @param persistence.subPath Subdirectory of the volume to mount at ## @param persistence.subPath Subdirectory of the volume to mount at
## @param persistence.volumeName Name of persistent volume in PVC
persistence: persistence:
enabled: true enabled: true
existingClaim: create: true
mount: true
claimName: gitea-shared-storage
size: 10Gi size: 10Gi
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
labels: {} labels: {}
annotations: {}
storageClass: storageClass:
subPath: subPath:
volumeName: ""
annotations:
helm.sh/resource-policy: keep
## @param extraVolumes Additional volumes to mount to the Forgejo statefulset ## @param extraVolumes Additional volumes to mount to the Forgejo deployment
extraVolumes: [] extraVolumes: []
# - name: postgres-ssl-vol # - name: postgres-ssl-vol
# secret: # secret:
@ -253,6 +304,16 @@ initPreScript: ""
# chown -R git:git /data/git/.postgresql/ # chown -R git:git /data/git/.postgresql/
# chmod 400 /data/git/.postgresql/postgresql.key # chmod 400 /data/git/.postgresql/postgresql.key
## @param initContainers.resources.limits initContainers.limits Kubernetes resource limits for init containers
## @param initContainers.resources.requests.cpu initContainers.requests.cpu Kubernetes cpu resource limits for init containers
## @param initContainers.resources.requests.memory initContainers.requests.memory Kubernetes memory resource limits for init containers
initContainers:
resources:
limits: {}
requests:
cpu: 100m
memory: 128Mi
# Configure commit/action signing prerequisites # Configure commit/action signing prerequisites
## @section Signing ## @section Signing
# #
@ -278,7 +339,7 @@ gitea:
## @param gitea.admin.password Password for the Forgejo admin user ## @param gitea.admin.password Password for the Forgejo admin user
## @param gitea.admin.email Email for the Forgejo admin user ## @param gitea.admin.email Email for the Forgejo admin user
admin: admin:
#existingSecret: gitea-admin-secret # existingSecret: gitea-admin-secret
existingSecret: existingSecret:
username: gitea_admin username: gitea_admin
password: r8sA8CPHD9!bt6d password: r8sA8CPHD9!bt6d
@ -294,7 +355,8 @@ gitea:
# prometheus-release: prom1 # prometheus-release: prom1
## @param gitea.ldap LDAP configuration ## @param gitea.ldap LDAP configuration
ldap: [] ldap:
[]
# - name: "LDAP 1" # - name: "LDAP 1"
# existingSecret: # existingSecret:
# securityProtocol: # securityProtocol:
@ -311,7 +373,8 @@ gitea:
# Either specify inline `key` and `secret` or refer to them via `existingSecret` # Either specify inline `key` and `secret` or refer to them via `existingSecret`
## @param gitea.oauth OAuth configuration ## @param gitea.oauth OAuth configuration
oauth: [] oauth:
[]
# - name: 'OAuth 1' # - name: 'OAuth 1'
# provider: # provider:
# key: # key:
@ -324,13 +387,14 @@ gitea:
# customProfileUrl: # customProfileUrl:
# customEmailUrl: # customEmailUrl:
## @param gitea.config Configuration for the Forgejo server,ref: [config-cheat-sheet](https://docs.gitea.io/en-us/config-cheat-sheet/) ## @param gitea.config.server.SSH_PORT SSH port for rootlful Forgejo image
config: {} ## @param gitea.config.server.SSH_LISTEN_PORT SSH port for rootless Forgejo image
config:
# APP_NAME: "Forgejo: Git with a cup of tea" # APP_NAME: "Forgejo: Git with a cup of tea"
# RUN_MODE: dev # RUN_MODE: dev
# server:
# server: SSH_PORT: 22 # rootful image
# SSH_PORT: 22 SSH_LISTEN_PORT: 2222 # rootless image
# #
# security: # security:
# PASSWORD_COMPLEXITY: spec # PASSWORD_COMPLEXITY: spec
@ -348,6 +412,10 @@ gitea:
## @param gitea.podAnnotations Annotations for the Forgejo pod ## @param gitea.podAnnotations Annotations for the Forgejo pod
podAnnotations: {} podAnnotations: {}
## @param gitea.ssh.logLevel Configure OpenSSH's log level. Only available for root-based Forgejo image.
ssh:
logLevel: "INFO"
## @section LivenessProbe ## @section LivenessProbe
# #
## @param gitea.livenessProbe.enabled Enable liveness probe ## @param gitea.livenessProbe.enabled Enable liveness probe
@ -408,18 +476,49 @@ gitea:
successThreshold: 1 successThreshold: 1
failureThreshold: 10 failureThreshold: 10
## @section Memcached ## @section redis-cluster
## @descriptionStart ## @param redis-cluster.enabled Enable redis
## Memcached is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/memcached) if enabled in the values. Complete Configuration can be taken from their website. ## @param redis-cluster.usePassword Whether to use password authentication
## @descriptionEnd ## @param redis-cluster.cluster.nodes Number of redis cluster master nodes
# ## @param redis-cluster.cluster.replicas Number of redis cluster master node replicas
## @param memcached.enabled Enable Memcached redis-cluster:
## @param memcached.service.ports.memcached Port for Memcached
memcached:
enabled: true enabled: true
usePassword: false
cluster:
nodes: 3 # default: 6
replicas: 0 # default: 1
## @section postgresql-ha
#
## @param postgresql-ha.enabled Enable postgresql-ha
## @param postgresql-ha.postgresql.password Password for the `gitea` user (overrides `auth.password`)
## @param postgresql-ha.global.postgresql.database Name for a custom database to create (overrides `auth.database`)
## @param postgresql-ha.global.postgresql.username Name for a custom user to create (overrides `auth.username`)
## @param postgresql-ha.global.postgresql.password Name for a custom password to create (overrides `auth.password`)
## @param postgresql-ha.postgresql.repmgrPassword Repmgr Password
## @param postgresql-ha.postgresql.postgresPassword postgres Password
## @param postgresql-ha.pgpool.adminPassword pgpool adminPassword
## @param postgresql-ha.service.ports.postgresql postgresql service port (overrides `service.ports.postgresql`)
## @param postgresql-ha.primary.persistence.size PVC Storage Request for postgresql-ha volume
postgresql-ha:
global:
postgresql:
database: gitea
password: gitea
username: gitea
enabled: true
postgresql:
repmgrPassword: changeme2
postgresPassword: changeme1
password: changeme4
pgpool:
adminPassword: changeme3
service: service:
ports: ports:
memcached: 11211 postgresql: 5432
primary:
persistence:
size: 10Gi
## @section PostgreSQL ## @section PostgreSQL
## @descriptionStart ## @descriptionStart
@ -427,77 +526,23 @@ memcached:
## @descriptionEnd ## @descriptionEnd
# #
## @param postgresql.enabled Enable PostgreSQL ## @param postgresql.enabled Enable PostgreSQL
## @param postgresql.auth.database PostgreSQL database ## @param postgresql.global.postgresql.auth.password Password for the `gitea` user (overrides `auth.password`)
## @param postgresql.auth.username PostgreSQL username ## @param postgresql.global.postgresql.auth.database Name for a custom database to create (overrides `auth.database`)
## @param postgresql.auth.password PostgreSQL username ## @param postgresql.global.postgresql.auth.username Name for a custom user to create (overrides `auth.username`)
## @param postgresql.auth.postgresPassword PostgreSQL admin password ## @param postgresql.global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`)
## @param postgresql.primary.service.ports.postgresql Port to connect to PostgreSQL service
## @param postgresql.primary.persistence.size PVC Storage Request for PostgreSQL volume ## @param postgresql.primary.persistence.size PVC Storage Request for PostgreSQL volume
postgresql: postgresql:
enabled: true enabled: false
global:
postgresql:
auth: auth:
password: gitea
database: gitea database: gitea
username: gitea username: gitea
password: gitea
postgresPassword: gitea
primary:
service: service:
ports: ports:
postgresql: 5432 postgresql: 5432
persistence:
size: 10Gi
## @section MySQL
## @descriptionStart
## MySQL is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/mysql) if enabled in the values. Complete Configuration can be taken from their website.
## @descriptionEnd
#
#
## @param mysql.enabled Enable MySQL
## @param mysql.auth.database Name for new database to create.
## @param mysql.auth.username Username of new user to create.
## @param mysql.auth.password Password for the new user.Ignored if existing secret is provided
## @param mysql.auth.rootPassword Password for the root user. Ignored if existing secret is provided
## @param mysql.primary.service.ports.mysql Port to connect to MySQL service
## @param mysql.primary.persistence.size PVC Storage Request for MySQL volume
mysql:
enabled: false
auth:
database: gitea
username: gitea
password: gitea
rootPassword: gitea
primary: primary:
service:
ports:
mysql: 3306
persistence:
size: 10Gi
## @section MariaDB
## @descriptionStart
## MariaDB is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/mariadb) if enabled in the values. Complete Configuration can be taken from their website.
## @descriptionEnd
#
#
## @param mariadb.enabled Enable MariaDB
## @param mariadb.auth.database Name of the database to create.
## @param mariadb.auth.username Username of the new user to create.
## @param mariadb.auth.password Password for the new user. Ignored if existing secret is provided
## @param mariadb.auth.rootPassword Password for the root user.
## @param mariadb.primary.service.ports.mysql Port to connect to MariaDB service
## @param mariadb.primary.persistence.size Persistence size for MariaDB
mariadb:
enabled: false
auth:
database: gitea
username: gitea
password: gitea
rootPassword: gitea
primary:
service:
ports:
mysql: 3306
persistence: persistence:
size: 10Gi size: 10Gi
@ -505,4 +550,16 @@ mariadb:
# Set it to false to skip this basic validation check. # Set it to false to skip this basic validation check.
## @section Advanced ## @section Advanced
## @param checkDeprecation Set it to false to skip this basic validation check. ## @param checkDeprecation Set it to false to skip this basic validation check.
## @param test.enabled Set it to false to disable test-connection Pod.
## @param test.image.name Image name for the wget container used in the test-connection Pod.
## @param test.image.tag Image tag for the wget container used in the test-connection Pod.
checkDeprecation: true checkDeprecation: true
test:
enabled: true
image:
name: busybox
tag: latest
## @param extraDeploy Array of extra objects to deploy with the release
##
extraDeploy: []