DevFW-CICD/forgejo-helm
16
0
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: DevFW-CICD:main
Branches Tags
DevFW-CICD:main
DevFW-CICD:maint/v7
DevFW-CICD:renovate/maint/v7-conventional-changelog-core-9.x
DevFW-CICD:renovate/main-conventional-changelog-core-9.x
DevFW-CICD:renovate/maint/v7-helm-chart-testing-action-2.x
DevFW-CICD:renovate/main-helm-chart-testing-action-2.x
DevFW-CICD:renovate-test/main-k3s-minor-1.30.x
DevFW-CICD:renovate-test/main-k3s-minor-1.29.x
DevFW-CICD:v11.0.1-depends
DevFW-CICD:v9.0.0-depends
DevFW-CICD:v12.0.0-depends
DevFW-CICD:v12.0.0
DevFW-CICD:v11.0.2-depends
DevFW-CICD:v11.0.3-depends
DevFW-CICD:v11.0.5-depends
DevFW-CICD:v11.0.5
DevFW-CICD:v10.1.1-depends
DevFW-CICD:v7.1.9
DevFW-CICD:v11.0.3
DevFW-CICD:v7.1.8
DevFW-CICD:v11.0.2
DevFW-CICD:v11.0.1
DevFW-CICD:v7.1.7
DevFW-CICD:v11.0.0
DevFW-CICD:v10.1.2
DevFW-CICD:v7.1.6
DevFW-CICD:v10.1.1
DevFW-CICD:v7.1.5
DevFW-CICD:v10.1.0
DevFW-CICD:v10.0.2
DevFW-CICD:v7.1.4
DevFW-CICD:v10.0.1
DevFW-CICD:v7.1.3
DevFW-CICD:v10.0.0
DevFW-CICD:v9.0.0
DevFW-CICD:v8.2.3
DevFW-CICD:v7.1.2
DevFW-CICD:v8.2.2
DevFW-CICD:v8.2.1
DevFW-CICD:v7.1.1
DevFW-CICD:v8.2.0
DevFW-CICD:v7.1.0
DevFW-CICD:v7.0.7
DevFW-CICD:v7.0.6
DevFW-CICD:v8.1.2
DevFW-CICD:v7.0.5
DevFW-CICD:v8.1.1
DevFW-CICD:v8.1.0
DevFW-CICD:v8.0.1
DevFW-CICD:v8.0.0
DevFW-CICD:v7.0.4
DevFW-CICD:v7.0.3
DevFW-CICD:v5.1.3
DevFW-CICD:v7.0.2
DevFW-CICD:v7.0.1
DevFW-CICD:v5.1.2
DevFW-CICD:v7.0.0
DevFW-CICD:v6.1.1
DevFW-CICD:v5.1.1
DevFW-CICD:v5.1.0
DevFW-CICD:v6.1.0
DevFW-CICD:v6.0.8
DevFW-CICD:v6.0.7
DevFW-CICD:v6.0.6
DevFW-CICD:v6.0.5
DevFW-CICD:v6.0.3
DevFW-CICD:v6.0.2
DevFW-CICD:v6.0.1
DevFW-CICD:v6.0.0
DevFW-CICD:v5.0.5
DevFW-CICD:v5.0.4
DevFW-CICD:v5.0.3
DevFW-CICD:v5.0.2
DevFW-CICD:v5.0.1
DevFW-CICD:v5.0.0
DevFW-CICD:v4.0.3
DevFW-CICD:v4.0.2
DevFW-CICD:v4.0.1
DevFW-CICD:v4.0.0
DevFW-CICD:v3.0.3
DevFW-CICD:v3.0.2
DevFW-CICD:v3.0.1
DevFW-CICD:v3.0.0
DevFW-CICD:v2.0.0
DevFW-CICD:v1.1.7
DevFW-CICD:v1.1.6
DevFW-CICD:v1.1.5
DevFW-CICD:v1.1.4
DevFW-CICD:v1.1.3
DevFW-CICD:v1.1.2
DevFW-CICD:v1.1.1
DevFW-CICD:v1.1.0
DevFW-CICD:v1.0.4
DevFW-CICD:v1.0.3
DevFW-CICD:v1.0.2
DevFW-CICD:v1.0.1
DevFW-CICD:v1.0.0
DevFW-CICD:v0.16.2
DevFW-CICD:v0.16.1
DevFW-CICD:v0.16.0
DevFW-CICD:v0.15.0
DevFW-CICD:v0.14.0
DevFW-CICD:v0.13.0
DevFW-CICD:v0.12.1
DevFW-CICD:v0.12.0
DevFW-CICD:v0.11.1
DevFW-CICD:0.11.0
DevFW-CICD:v0.10.1
DevFW-CICD:v0.10.0
DevFW-CICD:v0.9.3
DevFW-CICD:v0.9.2
DevFW-CICD:v0.9.1
DevFW-CICD:v0.9.0
DevFW-CICD:v0.8.6
DevFW-CICD:v0.8.5
DevFW-CICD:v0.8.4
DevFW-CICD:v0.8.3
DevFW-CICD:v0.8.2
DevFW-CICD:v0.8.1
DevFW-CICD:v0.8.0
DevFW-CICD:v0.7.3
DevFW-CICD:v0.7.2
DevFW-CICD:v0.7.1
DevFW-CICD:v0.7.0
DevFW-CICD:v0.6.1
DevFW-CICD:v0.6.0
DevFW-CICD:v0.5.0
DevFW-CICD:v0.4.0
DevFW-CICD:v0.3.3
DevFW-CICD:v0.3.2
DevFW-CICD:v0.3.1
DevFW-CICD:v0.3.0
DevFW-CICD:v0.2.0
DevFW-CICD:v0.1.0
DevFW-CICD:v0.0.4
DevFW-CICD:v0.0.3
DevFW-CICD:v0.0.2
DevFW-CICD:v0.0.1
..
compare: DevFW-CICD:v1.0.1
Branches Tags
DevFW-CICD:main
DevFW-CICD:maint/v7
DevFW-CICD:renovate/maint/v7-conventional-changelog-core-9.x
DevFW-CICD:renovate/main-conventional-changelog-core-9.x
DevFW-CICD:renovate/maint/v7-helm-chart-testing-action-2.x
DevFW-CICD:renovate/main-helm-chart-testing-action-2.x
DevFW-CICD:renovate-test/main-k3s-minor-1.30.x
DevFW-CICD:renovate-test/main-k3s-minor-1.29.x
DevFW-CICD:v11.0.1-depends
DevFW-CICD:v9.0.0-depends
DevFW-CICD:v12.0.0-depends
DevFW-CICD:v12.0.0
DevFW-CICD:v11.0.2-depends
DevFW-CICD:v11.0.3-depends
DevFW-CICD:v11.0.5-depends
DevFW-CICD:v11.0.5
DevFW-CICD:v10.1.1-depends
DevFW-CICD:v7.1.9
DevFW-CICD:v11.0.3
DevFW-CICD:v7.1.8
DevFW-CICD:v11.0.2
DevFW-CICD:v11.0.1
DevFW-CICD:v7.1.7
DevFW-CICD:v11.0.0
DevFW-CICD:v10.1.2
DevFW-CICD:v7.1.6
DevFW-CICD:v10.1.1
DevFW-CICD:v7.1.5
DevFW-CICD:v10.1.0
DevFW-CICD:v10.0.2
DevFW-CICD:v7.1.4
DevFW-CICD:v10.0.1
DevFW-CICD:v7.1.3
DevFW-CICD:v10.0.0
DevFW-CICD:v9.0.0
DevFW-CICD:v8.2.3
DevFW-CICD:v7.1.2
DevFW-CICD:v8.2.2
DevFW-CICD:v8.2.1
DevFW-CICD:v7.1.1
DevFW-CICD:v8.2.0
DevFW-CICD:v7.1.0
DevFW-CICD:v7.0.7
DevFW-CICD:v7.0.6
DevFW-CICD:v8.1.2
DevFW-CICD:v7.0.5
DevFW-CICD:v8.1.1
DevFW-CICD:v8.1.0
DevFW-CICD:v8.0.1
DevFW-CICD:v8.0.0
DevFW-CICD:v7.0.4
DevFW-CICD:v7.0.3
DevFW-CICD:v5.1.3
DevFW-CICD:v7.0.2
DevFW-CICD:v7.0.1
DevFW-CICD:v5.1.2
DevFW-CICD:v7.0.0
DevFW-CICD:v6.1.1
DevFW-CICD:v5.1.1
DevFW-CICD:v5.1.0
DevFW-CICD:v6.1.0
DevFW-CICD:v6.0.8
DevFW-CICD:v6.0.7
DevFW-CICD:v6.0.6
DevFW-CICD:v6.0.5
DevFW-CICD:v6.0.3
DevFW-CICD:v6.0.2
DevFW-CICD:v6.0.1
DevFW-CICD:v6.0.0
DevFW-CICD:v5.0.5
DevFW-CICD:v5.0.4
DevFW-CICD:v5.0.3
DevFW-CICD:v5.0.2
DevFW-CICD:v5.0.1
DevFW-CICD:v5.0.0
DevFW-CICD:v4.0.3
DevFW-CICD:v4.0.2
DevFW-CICD:v4.0.1
DevFW-CICD:v4.0.0
DevFW-CICD:v3.0.3
DevFW-CICD:v3.0.2
DevFW-CICD:v3.0.1
DevFW-CICD:v3.0.0
DevFW-CICD:v2.0.0
DevFW-CICD:v1.1.7
DevFW-CICD:v1.1.6
DevFW-CICD:v1.1.5
DevFW-CICD:v1.1.4
DevFW-CICD:v1.1.3
DevFW-CICD:v1.1.2
DevFW-CICD:v1.1.1
DevFW-CICD:v1.1.0
DevFW-CICD:v1.0.4
DevFW-CICD:v1.0.3
DevFW-CICD:v1.0.2
DevFW-CICD:v1.0.1
DevFW-CICD:v1.0.0
DevFW-CICD:v0.16.2
DevFW-CICD:v0.16.1
DevFW-CICD:v0.16.0
DevFW-CICD:v0.15.0
DevFW-CICD:v0.14.0
DevFW-CICD:v0.13.0
DevFW-CICD:v0.12.1
DevFW-CICD:v0.12.0
DevFW-CICD:v0.11.1
DevFW-CICD:0.11.0
DevFW-CICD:v0.10.1
DevFW-CICD:v0.10.0
DevFW-CICD:v0.9.3
DevFW-CICD:v0.9.2
DevFW-CICD:v0.9.1
DevFW-CICD:v0.9.0
DevFW-CICD:v0.8.6
DevFW-CICD:v0.8.5
DevFW-CICD:v0.8.4
DevFW-CICD:v0.8.3
DevFW-CICD:v0.8.2
DevFW-CICD:v0.8.1
DevFW-CICD:v0.8.0
DevFW-CICD:v0.7.3
DevFW-CICD:v0.7.2
DevFW-CICD:v0.7.1
DevFW-CICD:v0.7.0
DevFW-CICD:v0.6.1
DevFW-CICD:v0.6.0
DevFW-CICD:v0.5.0
DevFW-CICD:v0.4.0
DevFW-CICD:v0.3.3
DevFW-CICD:v0.3.2
DevFW-CICD:v0.3.1
DevFW-CICD:v0.3.0
DevFW-CICD:v0.2.0
DevFW-CICD:v0.1.0
DevFW-CICD:v0.0.4
DevFW-CICD:v0.0.3
DevFW-CICD:v0.0.2
DevFW-CICD:v0.0.1

No commits in common. "main" and "v1.0.1" have entirely different histories.
main ... v1.0.1

69 changed files with 2855 additions and 3670 deletions
Show stats Expand all files Collapse all files

25
.forgejo/actions/setup-k3s/action.yml
View file

@ -1,25 +0,0 @@
# action.yml
name: setup-k3s
description: 'setup k3s'
inputs:
version:
description: 'k3s version'
required: true
runs:
using: 'composite'
steps:
- shell: bash
name: install k3s
run: |
curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=${INPUT_VERSION} K3S_KUBECONFIG_MODE=640 sh -s - server
echo "KUBECONFIG=/etc/rancher/k3s/k3s.yaml" >> $GITHUB_ENV
- shell: bash
name: check k3s
run: kubectl cluster-info
- shell: bash
name: wait for nodes ready
run: |
sleep 3
kubectl wait --for=condition=Ready nodes --all --timeout=600s

12
.forgejo/actions/setup-node/action.yml
View file

@ -5,15 +5,9 @@ description: 'setup node'
runs:
using: 'composite'
steps:
- name: Setup pnpm
uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
with:
standalone: true
- uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
- uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4
with:
node-version-file: .node-version
cache: 'pnpm'
cache: 'npm'
- shell: bash
run: pnpm install --frozen-lockfile
run: npm ci

1
.forgejo/actions/setup/action.yml
View file

@ -23,5 +23,4 @@ runs:
python3-wheel \
python3-venv \
unzip \
wget \
;

57
.forgejo/renovate/k3s.json
View file

@ -1,57 +0,0 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"packageRules": [
{
"description": "Separate minor and patch updates for k3s",
"matchDatasources": ["github-releases"],
"matchPackageNames": ["k3s-io/k3s"],
"separateMultipleMinor": true,
"separateMinorPatch": true,
"branchTopic": "{{{depNameSanitized}}}{{#if isMinor}}-minor{{/if}}-{{{newMajor}}}{{#if isPatch}}.{{{newMinor}}}{{/if}}.x{{#if isLockfileUpdate}}-lockfile{{/if}}",
"commitMessageSuffix": "{{#if isMinor}}(minor){{/if}}{{#if isPatch}}(patch){{/if}}"
},
{
"description": "No automerge for k3s major and minor updates",
"matchDatasources": ["github-releases"],
"matchPackageNames": ["k3s-io/k3s"],
"matchUpdateTypes": ["major", "minor"],
"automerge": false
},
{
"description": "Group k3s patch updates",
"matchDatasources": ["github-releases"],
"matchPackageNames": ["k3s-io/k3s"],
"matchUpdateTypes": ["patch"],
"groupName": "k3s"
},
{
"description": "Disable k3s major and minor updates for old versions",
"matchDatasources": ["github-releases"],
"matchFileNames": [".forgejo/workflows/**"],
"matchPackageNames": ["k3s-io/k3s"],
"matchUpdateTypes": ["major", "minor"],
"matchCurrentValue": "!/^v1.32/",
"enabled": false
}
],
"customDatasources": {
"k3s": {
"defaultRegistryUrlTemplate": "https://update.k3s.io/v1-release/channels",
"transformTemplates": [
"($isVersion:=function($name){$contains($name,/^v\\d+.\\d+$/)};{\"releases\":[data[$isVersion(name)].{\"version\":latest}],\"sourceUrl\":\"https://github.com/k3s-io/k3s\",\"homepage\":\"https://k3s.io/\"})"
]
}
},
"customManagers": [
{
"customType": "regex",
"fileMatch": [".forgejo/renovate/k3s.json"],
"matchStrings": [
"matchCurrentValue\": \"!\\/^v(?<currentValue>\\d+\\.\\d+)\\/"
],
"depNameTemplate": "k3s",
"versioningTemplate": "npm",
"datasourceTemplate": "custom.k3s"
}
]
}

97
.forgejo/workflows/build.yml
View file

@ -5,20 +5,19 @@ on:
push:
branches:
- main
- maint/**
- release/**
tags:
- v*
workflow_dispatch:
permissions:
contents: read
env:
HELM_VERSION: v3.17.2 # renovate: datasource=github-releases depName=helm packageName=helm/helm
HELM_UNITTEST_VERSION: v0.7.2 # renovate: datasource=github-releases depName=helm-unittest packageName=helm-unittest/helm-unittest
HELM_CHART_TESTING_VERSION: v3.12.0 # renovate: datasource=github-releases depName=chart-testing packageName=helm/chart-testing
KUBECTL_VERSION: v1.32.3 # renovate: datasource=github-releases depName=kubectl packageName=kubernetes/kubernetes
CT_GITHUB_GROUPS: true
HELM_VERSION: v3.13.2 # renovate: datasource=github-releases depName=helm packageName=helm/helm
HELM_UNITTEST_VERSION: v0.3.6 # renovate: datasource=github-releases depName=helm-unittest packageName=helm-unittest/helm-unittest
HELM_CHART_TESTING_VERSION: v3.10.1 # renovate: datasource=github-releases depName=chart-testing packageName=helm/chart-testing
KIND_VERSION: v0.20.0 # renovate: datasource=github-releases depName=kind packageName=kubernetes-sigs/kind
KUBECTL_VERSION: v1.28.4 # renovate: datasource=github-releases depName=kubectl packageName=kubernetes/kubernetes
jobs:
lint-node:
@ -26,24 +25,18 @@ jobs:
steps:
- run: cat /etc/os-release
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
show-progress: false
fetch-depth: 0 # Important for changelog
filter: blob:none # We don't need all blobs
- uses: ./.forgejo/actions/setup
- uses: ./.forgejo/actions/setup-node
- run: pnpm prettier
- run: pnpm markdownlint .
- run: npm run prettier
- run: npx markdownlint-cli .
- run: make readme
- run: git diff --exit-code --name-only README.md
- name: changelog
run: |
pnpm changelog ${{ github.ref_type == 'tag' && 'true' || '' }}
lint-helm:
runs-on: docker
steps:
@ -51,21 +44,20 @@ jobs:
- run: ps axf
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
show-progress: false
fetch-depth: 0
filter: blob:none # We don't need all blobs
- uses: ./.forgejo/actions/setup
- name: install chart-testing
uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
with:
version: ${{ env.HELM_CHART_TESTING_VERSION }}
- name: install helm
uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
with:
version: ${{ env.HELM_VERSION }}
@ -81,59 +73,49 @@ jobs:
- run: ct lint --config tools/ct.yml --charts .
e2e:
needs:
- lint-node
- lint-helm
runs-on: k8s
strategy:
matrix:
k3s:
# https://github.com/k3s-io/k3s/branches
# oldest supported version
- v1.28.15+k3s1 # renovate: k3s
# https://github.com/k3s-io/k3s/blob/master/channel.yaml#L3-L4
# stable version
- v1.31.6+k3s1 # renovate: k3s
# newest version
- v1.32.2+k3s1 # renovate: k3s
k8s:
# from https://hub.docker.com/r/kindest/node/tags
# - v1.25.11 # renovate: kindest
- v1.28.0 # renovate: kindest
steps:
- run: cat /etc/os-release
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
show-progress: false
fetch-depth: 0
filter: blob:none # We don't need all blobs
- uses: ./.forgejo/actions/setup
- name: install helm
uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
with:
version: ${{ env.HELM_VERSION }}
- name: Install chart-testing
uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
# TODO: pin to version when this is released: https://github.com/helm/chart-testing-action/pull/137
uses: helm/chart-testing-action@86b540ddcecb3cc009fa2bc0f44fa5b33e9751a2 # main
with:
version: ${{ env.HELM_CHART_TESTING_VERSION }}
- uses: ./.forgejo/actions/setup-k3s
- uses: ./.forgejo/actions/setup-docker
- name: Create kind cluster
uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
with:
version: ${{ matrix.k3s }}
node_image: kindest/node:${{ matrix.k8s }}
kubectl_version: ${{ env.KUBECTL_VERSION }}
version: ${{ env.KIND_VERSION }}
- run: kubectl get no -o wide
- name: install chart
uses: https://github.com/nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
with:
timeout_minutes: 15
max_attempts: 3
retry_on: error
retry_wait_seconds: 120
polling_interval_seconds: 5
command: ct install --config tools/ct.yml --charts .
run: ct install --config tools/ct.yml --charts .
# # Catch-all required check for test matrix
test-success:
@ -169,37 +151,28 @@ jobs:
if: ${{ github.ref_type == 'tag' }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
show-progress: false
fetch-depth: 0 # Important for changelog
filter: blob:none # We don't need all blobs
- uses: ./.forgejo/actions/setup
- uses: ./.forgejo/actions/setup-node
- name: install helm
uses: https://github.com/azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
uses: https://github.com/azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
with:
version: ${{ env.HELM_VERSION }}
- run: helm dependency build
- run: helm package --version "${GITHUB_REF_NAME#v}" -d tmp/ ./
- name: login to registries
run: |
echo ${CODEBERG_TOKEN} | helm registry login -u viceice --password-stdin codeberg.org/forgejo-contrib
echo ${FORGEJO_TOKEN} | helm registry login -u viceice --password-stdin code.forgejo.org/forgejo-contrib
echo ${FORGEJO_TOKEN} | helm registry login -u viceice --password-stdin code.forgejo.org/forgejo-helm
- name: login to codeberg packages
run: echo ${TOKEN} | helm registry login -u viceice --password-stdin codeberg.org/forgejo-contrib
env:
CODEBERG_TOKEN: ${{secrets.API_TOKEN}}
FORGEJO_TOKEN: ${{secrets.FORGEJO_API_TOKEN}}
TOKEN: ${{secrets.API_TOKEN}}
- name: publish forgejo helm chart
run: |
helm push tmp/forgejo-${GITHUB_REF_NAME#v}.tgz oci://codeberg.org/forgejo-contrib
helm push tmp/forgejo-${GITHUB_REF_NAME#v}.tgz oci://code.forgejo.org/forgejo-contrib
helm push tmp/forgejo-${GITHUB_REF_NAME#v}.tgz oci://code.forgejo.org/forgejo-helm
run: helm push tmp/forgejo-${GITHUB_REF_NAME#v}.tgz oci://codeberg.org/forgejo-contrib
- name: publish forgejo release
run: pnpm forgejo:release
run: npm run forgejo:release

26
.forgejo/workflows/mirror.yml
View file

@ -1,26 +0,0 @@
on:
schedule:
- cron: '@hourly'
push:
branches:
- 'main'
workflow_dispatch:
jobs:
mirror:
runs-on: docker
steps:
- name: git mirror branches {main,maint/*] & tags
run: |
git init --bare .
git remote add origin https://code.forgejo.org/${{ env.GITHUB_REPOSITORY }}
git fetch origin refs/heads/main:refs/mirror/main --tags
git ls-remote origin refs/heads/main/* | while read sha full_ref ; do
ref=${full_ref#refs/heads/}
git fetch origin $full_ref:refs/mirror/$ref
done
git push --force https://any:$CODEBERG_TOKEN@codeberg.org/forgejo-contrib/forgejo-helm refs/mirror/*:refs/heads/* --tags
env:
CODEBERG_TOKEN: ${{secrets.CODEBERG_TOKEN}}

2
.gitignore vendored
View file

@ -4,5 +4,3 @@ node_modules/
unittests/*/__snapshot__/
tmp/
tmpcharts/
.pnpm-store/

3
.helmignore
View file

@ -60,6 +60,3 @@ tools/
.yamllint
artifacthub*
renovate.json
pnpm-lock.yaml
.pnpm-store/

5
.husky/pre-commit
View file

@ -1,3 +1,6 @@
#!/bin/sh
pnpm lint-staged
# shellcheck source=/dev/null
. "$(dirname "$0")/_/husky.sh"
npx lint-staged

3
.lintstagedrc.json
View file

@ -1,6 +1,5 @@
{
"*.sh": "shellcheck",
".husky/*": "shellcheck",
"!*.{sh,md}": "prettier --cache --ignore-unknown --write",
"*.md": ["markdownlint --fix", "prettier --cache --write"]
"*": "prettier --ignore-unknown --write"
}

4
.markdownlint.yaml
View file

@ -56,6 +56,8 @@ MD013:
tables: false
# Include headings
headings: true
# Include headings
headers: true
# Strict length checking
strict: false
# Stern length checking
@ -71,7 +73,7 @@ MD022:
# MD024/no-duplicate-heading/no-duplicate-header - Multiple headings with the same content
MD024:
# Only check sibling headings
siblings_only: true
allow_different_nesting: true
# MD025/single-title/single-h1 - Multiple top-level headings in the same document
MD025:

2
.markdownlintignore
View file

@ -3,5 +3,3 @@ node_modules/
charts/
.helmignore
Chart.lock
.pnpm-store/

2
.node-version
View file

@ -1 +1 @@
22.14.0
20.10.0

4
.npmrc
View file

@ -1,5 +1 @@
engine-strict=true
# pnpm run settings
# https://pnpm.io/cli/run
shell-emulator = true

2
.prettierignore
View file

@ -1,7 +1,5 @@
Chart.lock
node_modules/
pnpm-lock.yaml
.pnpm-store/
# won't work
templates/**/*.yaml

2
.vscode/settings.json vendored
View file

@ -4,7 +4,7 @@
".github/workflows/*",
".forgejo/workflows/*"
],
"https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.7.2/schema/helm-testsuite.json": [
"https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.3.6/schema/helm-testsuite.json": [
"/unittests/**/*.yaml"
]
},

22
Chart.lock
View file

@ -1,18 +1,12 @@
dependencies:
- name: common
repository: oci://ghcr.io/visualon/bitnamicharts
version: 2.30.0
- name: postgresql
repository: oci://ghcr.io/visualon/bitnamicharts
version: 16.5.6
repository: oci://registry-1.docker.io/bitnamicharts
version: 13.2.24
- name: postgresql-ha
repository: oci://ghcr.io/visualon/bitnamicharts
version: 15.3.8
repository: oci://registry-1.docker.io/bitnamicharts
version: 12.3.2
- name: redis-cluster
repository: oci://ghcr.io/visualon/bitnamicharts
version: 11.4.6
- name: redis
repository: oci://ghcr.io/visualon/bitnamicharts
version: 20.11.4
digest: sha256:a9c9f0779663336dd22ca4896f22bb64427e28f20aa567aee2f18474f8e31a23
generated: "2025-03-26T15:31:33.532188569Z"
repository: oci://registry-1.docker.io/bitnamicharts
version: 9.1.3
digest: sha256:a23ae06fa54de80f57931b1f87dd5562e30d6dd20d84104114751da92a83d7a1
generated: "2023-12-07T00:08:00.365663088Z"

33
Chart.yaml
View file

@ -3,8 +3,8 @@ name: forgejo
description: Forgejo Helm chart for Kubernetes
type: application
version: 0.0.0
appVersion: 10.0.3
icon: https://code.forgejo.org/forgejo/forgejo/raw/branch/forgejo/assets/logo.svg
appVersion: 1.21.2-1
icon: https://design.codeberg.org/logo-kit/icon.svg
home: https://forgejo.org/
keywords:
@ -16,41 +16,28 @@ keywords:
- gitea
- gogs
sources:
- https://code.forgejo.org/forgejo-helm/forgejo-helm
- https://codeberg.org/forgejo-contrib/forgejo-helm
- https://codeberg.org/forgejo/forgejo
maintainers:
- name: Michael Kriese
email: michael.kriese@visualon.de
# Bitnami charts are served from ghcr mirror because of rate limiting on Docker Hub
# Bitnami charts are served from Docker Hub
# https://hub.docker.com/u/bitnamicharts
# https://blog.bitnami.com/2023/01/bitnami-helm-charts-available-as-oci.html
# https://github.com/bitnami/charts/issues/30853
# https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
dependencies:
# https://github.com/bitnami/charts/blob/main/bitnami/common/Chart.yaml
- name: common
repository: oci://ghcr.io/visualon/bitnamicharts
tags:
- bitnami-common
version: 2.30.0
# https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml
- name: postgresql
repository: oci://ghcr.io/visualon/bitnamicharts
version: 16.5.6
repository: oci://registry-1.docker.io/bitnamicharts
version: 13.2.24
condition: postgresql.enabled
# https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml
- name: postgresql-ha
repository: oci://ghcr.io/visualon/bitnamicharts
version: 15.3.8
repository: oci://registry-1.docker.io/bitnamicharts
version: 12.3.2
condition: postgresql-ha.enabled
# https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml
- name: redis-cluster
repository: oci://ghcr.io/visualon/bitnamicharts
version: 11.4.6
repository: oci://registry-1.docker.io/bitnamicharts
version: 9.1.3
condition: redis-cluster.enabled
# https://github.com/bitnami/charts/blob/main/bitnami/redis/Chart.yaml
- name: redis
repository: oci://ghcr.io/visualon/bitnamicharts
version: 20.11.4
condition: redis.enabled

1
LICENSE
View file

@ -1,6 +1,5 @@
MIT License
Copyright (c) 2023 The Forgejo Authors
Copyright (c) 2020 The Gitea Authors
Copyright (c) 2020 NOVUM-RGI
Copyright (c) 2019 - 2020 Charlie Drage

8
Makefile
View file

@ -1,15 +1,15 @@
.PHONY: prepare-environment
prepare-environment:
pnpm install
npm install
.PHONY: readme
readme: prepare-environment
pnpm readme:parameters
pnpm readme:lint
npm run readme:parameters
npm run readme:lint
.PHONY: unittests
unittests:
helm unittest --strict -f 'unittests/**/*.yaml' ./
helm unittest --strict -f 'unittests/**/*.yaml' -f 'unittests/dependency-major-image-check.yaml' ./
.PHONY: helm
update-helm-dependencies:

443
README.md
View file

@ -1,11 +1,10 @@
# Forgejo Helm Chart <!-- omit from toc -->
[![status-badge](https://ci.dachary.org/api/badges/forgejo-contrib/forgejo-helm/status.svg)](https://ci.dachary.org/forgejo-contrib/forgejo-helm)
- [Introduction](#introduction)
- [Update and versioning policy](#update-and-versioning-policy)
- [Dependencies](#dependencies)
- [HA Dependencies](#ha-dependencies)
- [Non-HA Dependencies](#non-ha-dependencies)
- [Dependency Versioning](#dependency-versioning)
- [Installing](#installing)
- [High Availability](#high-availability)
- [Configuration](#configuration)
@ -14,12 +13,12 @@
- [Server defaults](#server-defaults)
- [Metrics defaults](#metrics-defaults)
- [Rootless Defaults](#rootless-defaults)
- [Session, Cache and Queue](#session-cache-and-queue)
- [Single-Pod Configurations](#single-pod-configurations)
- [Additional _app.ini_ settings](#additional-appini-settings)
- [User defined environment variables in app.ini](#user-defined-environment-variables-in-appini)
- [External Database](#external-database)
- [Ports and external url](#ports-and-external-url)
- [ClusterIP](#clusterip)
- [SSH and Ingress](#ssh-and-ingress)
- [SSH on crio based kubernetes cluster](#ssh-on-crio-based-kubernetes-cluster)
- [Cache](#cache)
@ -45,37 +44,29 @@
- [Init](#init)
- [Signing](#signing)
- [Gitea](#gitea)
- [`app.ini` overrides](#appini-overrides)
- [LivenessProbe](#livenessprobe)
- [ReadinessProbe](#readinessprobe)
- [StartupProbe](#startupprobe)
- [Redis&reg; Cluster](#redis-cluster)
- [Redis&reg;](#redis)
- [PostgreSQL HA](#postgresql-ha)
- [redis-cluster](#redis-cluster)
- [PostgreSQL-ha](#postgresql-ha)
- [PostgreSQL](#postgresql)
- [Advanced](#advanced)
- [Contributing](#contributing)
- [Upgrading](#upgrading)
- [To v11](#to-v11)
- [To v10](#to-v10)
- [To v9](#to-v9)
- [To v8](#to-v8)
- [To v7](#to-v7)
- [To v6](#to-v6)
[Forgejo](https://forgejo.org/) is a community managed lightweight code hosting solution written in Go.
It is published under the MIT license.
## Introduction
This Helm chart is based on the [Gitea chart](https://gitea.com/gitea/helm-chart).
This helm chart is based on official [Gitea helm chart](https://gitea.com/gitea/helm-chart).
Yet it takes a completely different approach in providing a database and cache with dependencies.
Additionally, this chart allows to provide LDAP and admin user configuration with values.
## Update and versioning policy
The Forgejo helm chart versioning does not follow Forgejo's versioning.
The latest chart version can be looked up in <https://code.forgejo.org/forgejo-helm/-/packages/container/forgejo> or in the [repository releases](https://code.forgejo.org/forgejo-helm/forgejo-helm/releases).
The latest chart version can be looked up in <https://codeberg.org/forgejo-contrib/-/packages/container/forgejo/0.8.0> or in the [repository releases](https://codeberg.org/forgejo-contrib/forgejo-helm/releases).
The chart aims to follow Forgejo's releases closely.
There might be times when the chart is behind the latest Forgejo release.
@ -90,51 +81,21 @@ Yet most often no issues will be encountered and the chart maintainers aim to co
Forgejo can be run with an external database and cache.
This chart provides those dependencies, which can be enabled, or disabled via configuration.
### HA Dependencies
Dependencies:
These dependencies are enabled by default:
- PostgreSQL HA ([Bitnami PostgreSQL-HA](https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml))
- Redis-Cluster ([Bitnami Redis-Cluster](https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml))
### Non-HA Dependencies
Alternatively, the following non-HA replacements are available:
- PostgreSQL ([Bitnami PostgreSQL](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml))
- Redis ([Bitnami Redis](https://github.com/bitnami/charts/blob/main/bitnami/redis/Chart.yaml))
### Dependency Versioning
Updates of sub-charts will be incorporated into the Gitea chart as they are released.
The reasoning behind this is that new users of the chart will start with the most recent sub-chart dependency versions.
**Note** If you want to stay on an older appVersion of a sub-chart dependency (e.g. PostgreSQL), you need to override the image tag in your `values.yaml` file.
In fact, we recommend to do so right from the start to be independent of major sub-chart dependency changes as they are released.
There is no need to update to every new PostgreSQL major version - you can happily skip some and do larger updates when you are ready for them.
We recommend to use a rolling tag like `:<majorVersion>-debian-<debian major version>` to incorporate minor and patch updates for the respective major version as they are released.
Alternatively you can also use a versioning helper tool like [renovate](https://github.com/renovatebot/renovate).
Please double-check the image repository and available tags in the sub-chart:
- [PostgreSQL-HA](https://hub.docker.com/r/bitnami/postgresql-repmgr/tags)
- [PostgreSQL](https://hub.docker.com/r/bitnami/postgresql/tags)
- [Redis Cluster](https://hub.docker.com/r/bitnami/redis-cluster/tags)
- [Redis](https://hub.docker.com/r/bitnami/redis/tags)
and look up the image tag which fits your needs on Dockerhub.
- PostgreSQL HA ([configuration](#postgresql))
- Redis Cluster ([configuration](#cache))
## Installing
```sh
helm install forgejo oci://code.forgejo.org/forgejo-helm/forgejo
helm install forgejo oci://codeberg.org/forgejo-contrib/forgejo
```
In case you want to supply values, you can reference a `values.yaml` file:
```sh
helm install forgejo -f values.yaml oci://code.forgejo.org/forgejo-helm/forgejo
helm install forgejo -f values.yaml oci://codeberg.org/forgejo-contrib/forgejo
```
When upgrading, please refer to the [Upgrading](#upgrading) section at the bottom of this document for major and breaking changes.
@ -150,23 +111,14 @@ See the [HA Setup](docs/ha-setup.md) document for more details.
## Configuration
Forgejo offers lots of configuration options.
Every value described in the [Cheat Sheet](https://forgejo.org/docs/latest/admin/config-cheat-sheet/) can be set as a Helm value.
Configuration sections map to (lowercased) YAML blocks, while the keys themselves remain in all caps.
This is fully described in the [Gitea Cheat Sheet](https://docs.gitea.com/administration/config-cheat-sheet).
```yaml
gitea:
config:
# values in the DEFAULT section
# (https://forgejo.org/docs/latest/admin/config-cheat-sheet/#overall-default)
# are un-namespaced
#
APP_NAME: 'Forgejo: Git with a cup of tea'
#
# https://forgejo.org/docs/latest/admin/config-cheat-sheet/#repository-repository
APP_NAME: 'Forgejo: With a cup of tea.'
repository:
ROOT: '~/gitea-repositories'
#
# https://forgejo.org/docs/latest/admin/config-cheat-sheet/#repository---pull-request-repositorypull-request
repository.pull-request:
WORK_IN_PROGRESS_PREFIXES: 'WIP:,[WIP]:'
```
@ -176,14 +128,14 @@ gitea:
This chart will set a few defaults in the Forgejo configuration based on the service and ingress settings.
All defaults can be overwritten in `gitea.config`.
INSTALL_LOCK is always set to true because the configuration in this helm chart makes any configuration via installer superfluous.
INSTALL_LOCK is always set to true, since we want to configure Forgejo with this helm chart and everything is taken care of.
_All default settings are made directly in the generated `app.ini`, not in the Values._
#### Database defaults
If a database subchart is enabled, the database configuration is set automatically.
For example, PostgreSQL will appear in the `app.ini` as:
If a builtIn database is enabled the database configuration is set automatically.
For example, PostgreSQL builtIn will appear in the `app.ini` as:
```ini
[database]
@ -242,21 +194,11 @@ If `.Values.image.rootless: true`, then the following will occur. In case you us
[see deployment.yaml](./templates/gitea/deployment.yaml) template inside container "env" declarations
#### Session, Cache and Queue
The session, cache and queue settings are set to use the built-in Redis Cluster sub-chart dependency.
If Redis Cluster is disabled, the chart will fall back to the Gitea defaults which use "memory" for `session` and `cache` and "level" for `queue`.
While these will work and even not cause immediate issues after startup, **they are not recommended for production use**.
Reasons being that a single pod will take on all the work for `session` and `cache` tasks in its available memory.
It is likely that the pod will run out of memory or will face substantial memory spikes, depending on the workload.
External tools such as `redis-cluster` or `memcached` handle these workloads much better.
### Single-Pod Configurations
If HA is not needed/desired, the following configurations can be used to deploy a single-pod Forgejo instance.
1. For a production-ready single-pod Forgejo instance without external dependencies (using the chart dependency `postgresql` and `redis`):
1. For a production-ready single-pod Forgejo instance without external dependencies (using the chart dependency `postgresql`):
<details>
@ -265,8 +207,6 @@ If HA is not needed/desired, the following configurations can be used to deploy
```yaml
redis-cluster:
enabled: false
redis:
enabled: true
postgresql:
enabled: true
postgresql-ha:
@ -279,6 +219,12 @@ If HA is not needed/desired, the following configurations can be used to deploy
config:
database:
DB_TYPE: postgres
session:
PROVIDER: db
cache:
ADAPTER: memory
queue:
TYPE: level
indexer:
ISSUE_INDEXER_TYPE: bleve
REPO_INDEXER_ENABLED: true
@ -298,8 +244,6 @@ If HA is not needed/desired, the following configurations can be used to deploy
```yaml
redis-cluster:
enabled: false
redis:
enabled: false
postgresql:
enabled: false
postgresql-ha:
@ -324,7 +268,7 @@ If HA is not needed/desired, the following configurations can be used to deploy
### Additional _app.ini_ settings
> **The [generic](https://forgejo.org/docs/latest/admin/config-cheat-sheet/#overall-default)
> **The [generic](https://docs.gitea.com/administration/config-cheat-sheet#overall-default)
> section cannot be defined that way.**
Some settings inside _app.ini_ (like passwords or whole authentication configurations) must be considered sensitive and therefore should not be passed via plain text inside the _values.yaml_ file.
@ -381,7 +325,7 @@ stringData:
#### User defined environment variables in app.ini
Users are able to define their own environment variables, which are loaded into the containers.
We also support interacting directly with the generated _app.ini_.
We also support to directly interact with the generated _app.ini_.
To inject self defined variables into the _app.ini_ a certain format needs to be honored.
This is described in detail on the [env-to-ini](https://github.com/go-gitea/gitea/tree/main/contrib/environment-to-ini) page.
@ -392,10 +336,9 @@ For example a database setting needs to have the following format:
```yaml
gitea:
config:
database:
HOST: my.own.host
additionalConfigFromEnvs:
- name: FORGEJO__DATABASE__HOST
value: my.own.host
- name: FORGEJO__DATABASE__PASSWD
valueFrom:
secretKeyRef:
@ -412,7 +355,7 @@ Priority (highest to lowest) for defining app.ini variables:
### External Database
A [supported external database](https://forgejo.org/docs/latest/admin/config-cheat-sheet/#database-database/)can be used instead of the built-in PostgreSQL.
Any external database listed in [https://docs.gitea.com/installation/database-prep](https://docs.gitea.com/installation/database-prep) can be used instead of the built-in PostgreSQL.
In fact, it is **highly recommended** to use an external database to ensure a stable Forgejo installation longterm.
If an external database is used, no matter which type, make sure to set `postgresql.enabled` to `false` to disable the use of the built-in PostgreSQL.
@ -421,7 +364,7 @@ If an external database is used, no matter which type, make sure to set `postgre
gitea:
config:
database:
DB_TYPE: mysql # supported values are mysql, postgres, mssql, sqlite3
DB_TYPE: mysql
HOST: <mysql HOST>
NAME: gitea
USER: root
@ -449,6 +392,23 @@ This helm chart automatically configures the clone urls to use the correct ports
You can change these ports by hand using the `gitea.config` dict.
However you should know what you're doing.
### ClusterIP
By default the `clusterIP` will be set to `None`, which is the default for headless services.
However if you want to omit the clusterIP field in the service, use the following values:
```yaml
service:
http:
type: ClusterIP
port: 3000
clusterIP:
ssh:
type: ClusterIP
port: 22
clusterIP:
```
### SSH and Ingress
If you're using ingress and want to use SSH, keep in mind, that ingress is not able to forward SSH Ports.
@ -458,7 +418,7 @@ You will need a LoadBalancer like `metallb` and a setting in your ssh service an
service:
ssh:
annotations:
metallb.io/allow-shared-ip: test
metallb.universe.tf/allow-shared-ip: test
```
### SSH on crio based kubernetes cluster
@ -531,6 +491,8 @@ postgresql:
This chart enables you to create a default admin user.
It is also possible to update the password for this user by upgrading or redeploying the chart.
It is not possible to delete an admin user after it has been created.
This has to be done in the ui.
You cannot use `admin` as username.
```yaml
@ -560,26 +522,10 @@ gitea:
existingSecret: gitea-admin-secret
```
To delete the admin user, set `username` or `password` to an empty value and delete the user in the UI.
Whether you use the existing Secret or specify a username and password directly, there are three modes for how the admin user password is created or set.
- `keepUpdated` (the default) will set the admin user password, and reset it to the defined value every time the pod is recreated.
- `initialOnlyNoReset` will set the admin user password when creating it, but never try to update the password.
- `initialOnlyRequireReset` will set the admin user password when creating it, never update it, and require that the password be changed at the initial login.
These modes can be set like the following:
```yaml
gitea:
admin:
passwordMode: initialOnlyRequireReset
```
### LDAP Settings
Like the admin user the LDAP settings can be updated.
All LDAP values from <https://forgejo.org/docs/latest/admin/command-line/#admin> are available.
All LDAP values from <https://docs.gitea.com/administration/command-line#admin> are available.
Multiple LDAP sources can be configured with additional LDAP list items.
@ -632,8 +578,9 @@ Affected options:
### OAuth2 Settings
Like the admin user, OAuth2 settings can be updated and disabled but not deleted.
Deleting OAuth2 settings has to be done in the UI.
[All OAuth2 values](https://forgejo.org/docs/latest/admin/command-line/#admin-auth-add-oauth) are available.
Deleting OAuth2 settings has to be done in the ui.
All OAuth2 values, which are documented [here](https://docs.gitea.com/administration/command-line#admin), are
available.
Multiple OAuth2 sources can be configured with additional OAuth list items.
@ -672,29 +619,14 @@ gitea:
existingSecret: gitea-oauth-secret
```
### Compatibility with OCP (OKD or OpenShift)
Normally OCP is automatically detected and the compatibility mode set accordingly. To enforce the OCP compatibility mode use the following configuration:
```yaml
global:
compatibility:
openshift:
adaptSecurityContext: force
```
An OCP route to access Forgejo can be enabled with the following config:
```yaml
route:
enabled: true
```
## Configure commit signing
When using the rootless image, the GPG key folder is not persistent by default.
If you want commits by Forgejo (e.g. initial commit) to be signed,
you need to provide a signing key:
When using the rootless image the gpg key folder is not persistent by default.
If you consider using signed commits for internal Forgejo activities (e.g. initial commit), you'd need to provide a signing key.
Prior to [PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be re-imported once the container got replaced by another.
The mentioned PR introduced a new configuration object `signing` allowing you to configure prerequisites for commit signing.
By default this section is disabled to maintain backwards compatibility.
```yaml
signing:
@ -702,10 +634,8 @@ signing:
gpgHome: /data/git/.gnupg
```
By default this section is disabled to maintain backwards compatibility.
Regardless of the used container image the `signing` object allows to specify a private GPG key.
Either using the `signing.privateKey` to define the key inline, or referring to an existing secret containing the key data with `signing.existingSecret`.
Regardless of the used container image the `signing` object allows to specify a private gpg key.
Either using the `signing.privateKey` to define the key inline, or refer to an existing secret containing the key data by using `signing.existingSecret`.
```yaml
apiVersion: v1
@ -725,8 +655,8 @@ signing:
existingSecret: custom-gitea-gpg-key
```
To use the GPG key, Forgejo needs to be configured accordingly.
A detailed description can be found in the [documentation](https://forgejo.org/docs/latest/admin/signing/#general-configuration).
To use the gpg key, Forgejo needs to be configured accordingly.
A detailed description can be found in the [official Gitea documentation](https://docs.gitea.com/administration/signing#general-configuration).
## Metrics and profiling
@ -831,7 +761,7 @@ Here's an examplary `values.yml` definition which makes use of a digest:
```yaml
image:
registry: code.forgejo.org
registry: codeberg.org
repository: forgejo/forgejo
tag: 1.20.2-0
digest: sha256:f597c14a403c2fdee9a62dae8bae29d6442f7b2cc85872cc9bb535a24cb1630e
@ -848,7 +778,7 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
"fileMatch": ["values\\.ya?ml"],
"matchStrings": ["(?<depName>forgejo\\/forgejo)\\n(?<indentation>\\s+)tag: (?<currentValue>[^@].*?)\\n\\s+digest: (?<currentDigest>sha256:[a-f0-9]+)"],
"datasourceTemplate": "docker",
"packageNameTemplate": "code.forgejo.org/{{depName}}",
"packageNameTemplate": "codeberg.org/{{depName}}",
"autoReplaceStringTemplate": "{{depName}}\n{{indentation}}tag: {{newValue}}\n{{indentation}}digest: {{#if newDigest}}{{{newDigest}}}{{else}}{{{currentDigest}}}{{/if}}"
}
]
@ -864,7 +794,6 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
| `global.imagePullSecrets` | global image pull secrets override; can be extended by `imagePullSecrets` | `[]` |
| `global.storageClass` | global storage class override | `""` |
| `global.hostAliases` | global hostAliases which will be added to the pod's hosts files | `[]` |
| `namespaceOverride` | String to fully override common.names.namespace | `""` |
| `replicaCount` | number of replicas for the deployment | `1` |
### strategy
@ -878,16 +807,16 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
### Image
| Name | Description | Value |
| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------ |
| `image.registry` | image registry, e.g. gcr.io,docker.io | `code.forgejo.org` |
| `image.repository` | Image to start for this pod | `forgejo/forgejo` |
| `image.tag` | Visit: [Image tag](https://code.forgejo.org/forgejo/-/packages/container/forgejo/versions). Defaults to `appVersion` within Chart.yaml. | `""` |
| `image.digest` | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest` | `""` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `image.rootless` | Wether or not to pull the rootless version of Forgejo | `true` |
| `image.fullOverride` | Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).** | `""` |
| `imagePullSecrets` | Secret to use for pulling the image | `[]` |
| Name | Description | Value |
| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- |
| `image.registry` | image registry, e.g. gcr.io,docker.io | `codeberg.org` |
| `image.repository` | Image to start for this pod | `forgejo/forgejo` |
| `image.tag` | Visit: [Image tag](https://codeberg.org/forgejo/-/packages/container/forgejo/versions). Defaults to `appVersion` within Chart.yaml. | `""` |
| `image.digest` | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest` | `""` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `image.rootless` | Wether or not to pull the rootless version of Forgejo | `true` |
| `image.fullOverride` | Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).** | `""` |
| `imagePullSecrets` | Secret to use for pulling the image | `[]` |
### Security
@ -904,7 +833,7 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
| --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
| `service.http.type` | Kubernetes service type for web traffic | `ClusterIP` |
| `service.http.port` | Port number for web traffic | `3000` |
| `service.http.clusterIP` | ClusterIP setting for http autosetup for deployment | `nil` |
| `service.http.clusterIP` | ClusterIP setting for http autosetup for deployment is None | `None` |
| `service.http.loadBalancerIP` | LoadBalancer IP setting | `nil` |
| `service.http.nodePort` | NodePort for http service | `nil` |
| `service.http.externalTrafficPolicy` | If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation | `nil` |
@ -913,11 +842,9 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
| `service.http.ipFamilies` | HTTP service dual-stack familiy selection,for dual-stack parameters see official kubernetes [dual-stack concept documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/). | `nil` |
| `service.http.loadBalancerSourceRanges` | Source range filter for http loadbalancer | `[]` |
| `service.http.annotations` | HTTP service annotations | `{}` |
| `service.http.labels` | HTTP service additional labels | `{}` |
| `service.http.loadBalancerClass` | Loadbalancer class | `nil` |
| `service.ssh.type` | Kubernetes service type for ssh traffic | `ClusterIP` |
| `service.ssh.port` | Port number for ssh traffic | `22` |
| `service.ssh.clusterIP` | ClusterIP setting for ssh autosetup for deployment | `nil` |
| `service.ssh.clusterIP` | ClusterIP setting for ssh autosetup for deployment is None | `None` |
| `service.ssh.loadBalancerIP` | LoadBalancer IP setting | `nil` |
| `service.ssh.nodePort` | NodePort for ssh service | `nil` |
| `service.ssh.externalTrafficPolicy` | If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation | `nil` |
@ -927,36 +854,19 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
| `service.ssh.hostPort` | HostPort for ssh service | `nil` |
| `service.ssh.loadBalancerSourceRanges` | Source range filter for ssh loadbalancer | `[]` |
| `service.ssh.annotations` | SSH service annotations | `{}` |
| `service.ssh.labels` | SSH service additional labels | `{}` |
| `service.ssh.loadBalancerClass` | Loadbalancer class | `nil` |
### Ingress
| Name | Description | Value |
| ------------------------------------ | -------------------- | ----------------- |
| `ingress.enabled` | Enable ingress | `false` |
| `ingress.className` | Ingress class name | `nil` |
| `ingress.annotations` | Ingress annotations | `{}` |
| `ingress.hosts[0].host` | Default Ingress host | `git.example.com` |
| `ingress.hosts[0].paths[0].path` | Default Ingress path | `/` |
| `ingress.hosts[0].paths[0].pathType` | Ingress path type | `Prefix` |
| `ingress.tls` | Ingress tls settings | `[]` |
### Route
| Name | Description | Value |
| ----------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
| `route.enabled` | Enable route | `false` |
| `route.annotations` | Route annotations | `{}` |
| `route.host` | Host to use for the route (will be assigned automatically by OKD / OpenShift is not defined) | `nil` |
| `route.wildcardPolicy` | Wildcard policy if any for the route, currently only 'Subdomain' or 'None' is allowed. | `nil` |
| `route.tls.termination` | termination type (see [OKD documentation](https://docs.okd.io/latest/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls)) | `edge` |
| `route.tls.insecureEdgeTerminationPolicy` | the desired behavior for insecure connections to a route (e.g. with http) | `Redirect` |
| `route.tls.existingSecret` | the name of a predefined secret of type kubernetes.io/tls with both key (tls.crt and tls.key) set accordingly (if defined attributes 'certificate', 'caCertificate' and 'privateKey' are ignored) | `nil` |
| `route.tls.certificate` | PEM encoded single certificate | `nil` |
| `route.tls.privateKey` | PEM encoded private key | `nil` |
| `route.tls.caCertificate` | PEM encoded CA certificate or chain that issued the certificate | `nil` |
| `route.tls.destinationCACertificate` | PEM encoded CA certificate used to verify the authenticity of final end point when 'termination' is set to 'passthrough' (ignored otherwise) | `nil` |
| Name | Description | Value |
| ------------------------------------ | --------------------------------------------------------------------------- | ----------------- |
| `ingress.enabled` | Enable ingress | `false` |
| `ingress.className` | Ingress class name | `nil` |
| `ingress.annotations` | Ingress annotations | `{}` |
| `ingress.hosts[0].host` | Default Ingress host | `git.example.com` |
| `ingress.hosts[0].paths[0].path` | Default Ingress path | `/` |
| `ingress.hosts[0].paths[0].pathType` | Ingress path type | `Prefix` |
| `ingress.tls` | Ingress tls settings | `[]` |
| `ingress.apiVersion` | Specify APIVersion of ingress object. Mostly would only be used for argocd. | |
### deployment
@ -1021,83 +931,27 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
| ------------------------ | ----------------------------------------------------------------- | ------------------ |
| `signing.enabled` | Enable commit/action signing | `false` |
| `signing.gpgHome` | GPG home directory | `/data/git/.gnupg` |
| `signing.privateKey` | Inline private GPG key for signed internal Git activity | `""` |
| `signing.privateKey` | Inline private gpg key for signed Forgejo actions | `""` |
| `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""` |
### Gitea
| Name | Description | Value |
| ---------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | -------------------- |
| `gitea.admin.username` | Username for the Forgejo admin user | `gitea_admin` |
| `gitea.admin.existingSecret` | Use an existing secret to store admin user credentials | `nil` |
| `gitea.admin.password` | Password for the Forgejo admin user | `r8sA8CPHD9!bt6d` |
| `gitea.admin.email` | Email for the Forgejo admin user | `gitea@local.domain` |
| `gitea.admin.passwordMode` | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated | `keepUpdated` |
| `gitea.metrics.enabled` | Enable Forgejo metrics | `false` |
| `gitea.metrics.serviceMonitor.enabled` | Enable Forgejo metrics service monitor | `false` |
| `gitea.metrics.serviceMonitor.namespace` | Namespace in which Prometheus is running | `""` |
| `gitea.ldap` | LDAP configuration | `[]` |
| `gitea.oauth` | OAuth configuration | `[]` |
| `gitea.additionalConfigSources` | Additional configuration from secret or configmap | `[]` |
| `gitea.additionalConfigFromEnvs` | Additional configuration sources from environment variables | `[]` |
| `gitea.podAnnotations` | Annotations for the Forgejo pod | `{}` |
| `gitea.ssh.logLevel` | Configure OpenSSH's log level. Only available for root-based Forgejo image. | `INFO` |
### `app.ini` overrides
Every value described in the [Cheat
Sheet](https://forgejo.org/docs/latest/admin/config-cheat-sheet/) can be
set as a Helm value. Configuration sections map to (lowercased) YAML
blocks, while the keys themselves remain in all caps.
| Name | Description | Value |
| ------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- |
| `gitea.config.APP_NAME` | Application name, used in the page title | `Forgejo: Beyond coding. We forge.` |
| `gitea.config.RUN_MODE` | Application run mode, affects performance and debugging: `dev` or `prod` | `prod` |
| `gitea.config.repository` | General repository settings | `{}` |
| `gitea.config.cors` | Cross-origin resource sharing settings | `{}` |
| `gitea.config.ui` | User interface settings | `{}` |
| `gitea.config.markdown` | Markdown parser settings | `{}` |
| `gitea.config.server` | General server settings | `{}` |
| `gitea.config.database` | Database configuration (only necessary with an [externally managed DB](https://code.forgejo.org/forgejo-helm/forgejo-helm#external-database)). | `{}` |
| `gitea.config.indexer` | Settings for what content is indexed and how | `{}` |
| `gitea.config.queue` | Job queue configuration | `{}` |
| `gitea.config.admin` | Admin user settings | `{}` |
| `gitea.config.security` | Site security settings | `{}` |
| `gitea.config.camo` | Settings for the [camo](https://github.com/cactus/go-camo) media proxy server (disabled by default) | `{}` |
| `gitea.config.openid` | Configuration for authentication with OpenID (disabled by default) | `{}` |
| `gitea.config.oauth2_client` | OAuth2 client settings | `{}` |
| `gitea.config.service` | Configuration for miscellaneous Forgejo services | `{}` |
| `gitea.config.ssh.minimum_key_sizes` | SSH minimum key sizes | `{}` |
| `gitea.config.webhook` | Webhook settings | `{}` |
| `gitea.config.mailer` | Mailer configuration (disabled by default) | `{}` |
| `gitea.config.email.incoming` | Configuration for handling incoming mail (disabled by default) | `{}` |
| `gitea.config.cache` | Cache configuration | `{}` |
| `gitea.config.session` | Session/cookie handling | `{}` |
| `gitea.config.picture` | User avatar settings | `{}` |
| `gitea.config.project` | Project board defaults | `{}` |
| `gitea.config.attachment` | Issue and PR attachment configuration | `{}` |
| `gitea.config.log` | Logging configuration | `{}` |
| `gitea.config.cron` | Cron job configuration | `{}` |
| `gitea.config.git` | Global settings for Git | `{}` |
| `gitea.config.metrics` | Settings for the Prometheus endpoint (disabled by default) | `{}` |
| `gitea.config.api` | Settings for the Swagger API documentation endpoints | `{}` |
| `gitea.config.oauth2` | Settings for the [OAuth2 provider](https://forgejo.org/docs/latest/admin/oauth2-provider/) | `{}` |
| `gitea.config.i18n` | Internationalization settings | `{}` |
| `gitea.config.markup` | Configuration for advanced markup processors | `{}` |
| `gitea.config.highlight.mapping` | File extension to language mapping overrides for syntax highlighting | `{}` |
| `gitea.config.time` | Locale settings | `{}` |
| `gitea.config.migrations` | Settings for Git repository migrations | `{}` |
| `gitea.config.federation` | Federation configuration | `{}` |
| `gitea.config.packages` | Package registry settings | `{}` |
| `gitea.config.mirror` | Configuration for repository mirroring | `{}` |
| `gitea.config.lfs` | Large File Storage configuration | `{}` |
| `gitea.config.repo-avatar` | Repository avatar storage configuration | `{}` |
| `gitea.config.avatar` | User/org avatar storage configuration | `{}` |
| `gitea.config.storage` | General storage settings | `{}` |
| `gitea.config.proxy` | Proxy configuration (disabled by default) | `{}` |
| `gitea.config.actions` | Configuration for [Forgejo Actions](https://forgejo.org/docs/latest/user/actions/) | `{}` |
| `gitea.config.other` | Uncategorized configuration options | `{}` |
| Name | Description | Value |
| -------------------------------------- | --------------------------------------------------------------------------- | -------------------- |
| `gitea.admin.username` | Username for the Forgejo admin user | `gitea_admin` |
| `gitea.admin.existingSecret` | Use an existing secret to store admin user credentials | `nil` |
| `gitea.admin.password` | Password for the Forgejo admin user | `r8sA8CPHD9!bt6d` |
| `gitea.admin.email` | Email for the Forgejo admin user | `gitea@local.domain` |
| `gitea.metrics.enabled` | Enable Forgejo metrics | `false` |
| `gitea.metrics.serviceMonitor.enabled` | Enable Forgejo metrics service monitor | `false` |
| `gitea.ldap` | LDAP configuration | `[]` |
| `gitea.oauth` | OAuth configuration | `[]` |
| `gitea.config.server.SSH_PORT` | SSH port for rootlful Forgejo image | `22` |
| `gitea.config.server.SSH_LISTEN_PORT` | SSH port for rootless Forgejo image | `2222` |
| `gitea.additionalConfigSources` | Additional configuration from secret or configmap | `[]` |
| `gitea.additionalConfigFromEnvs` | Additional configuration sources from environment variables | `[]` |
| `gitea.podAnnotations` | Annotations for the Forgejo pod | `{}` |
| `gitea.ssh.logLevel` | Configure OpenSSH's log level. Only available for root-based Forgejo image. | `INFO` |
### LivenessProbe
@ -1113,16 +967,15 @@ blocks, while the keys themselves remain in all caps.
### ReadinessProbe
| Name | Description | Value |
| ------------------------------------------ | ------------------------------------------------- | -------------- |
| `gitea.readinessProbe.enabled` | Enable readiness probe | `true` |
| `gitea.readinessProbe.httpGet.path` | Path to probe for readiness | `/api/healthz` |
| `gitea.readinessProbe.httpGet.port` | Port to probe for readiness | `http` |
| `gitea.readinessProbe.initialDelaySeconds` | Initial delay before readiness probe is initiated | `5` |
| `gitea.readinessProbe.timeoutSeconds` | Timeout for readiness probe | `1` |
| `gitea.readinessProbe.periodSeconds` | Period for readiness probe | `10` |
| `gitea.readinessProbe.successThreshold` | Success threshold for readiness probe | `1` |
| `gitea.readinessProbe.failureThreshold` | Failure threshold for readiness probe | `3` |
| Name | Description | Value |
| ------------------------------------------ | ------------------------------------------------- | ------ |
| `gitea.readinessProbe.enabled` | Enable readiness probe | `true` |
| `gitea.readinessProbe.tcpSocket.port` | Port to probe for readiness | `http` |
| `gitea.readinessProbe.initialDelaySeconds` | Initial delay before readiness probe is initiated | `5` |
| `gitea.readinessProbe.timeoutSeconds` | Timeout for readiness probe | `1` |
| `gitea.readinessProbe.periodSeconds` | Period for readiness probe | `10` |
| `gitea.readinessProbe.successThreshold` | Success threshold for readiness probe | `1` |
| `gitea.readinessProbe.failureThreshold` | Failure threshold for readiness probe | `3` |
### StartupProbe
@ -1139,33 +992,19 @@ blocks, while the keys themselves remain in all caps.
### Redis&reg; Cluster
Redis&reg; Cluster is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/redis-cluster) if enabled in the values.
Full configuration options are available on their website.
Redis cluster and [Redis](#redis) cannot be enabled at the same time.
Complete Configuration can be taken from their website.
| Name | Description | Value |
| -------------------------------- | -------------------------------------------- | ------- |
| `redis-cluster.enabled` | Enable redis cluster | `true` |
| `redis-cluster.enabled` | Enable redis | `true` |
| `redis-cluster.usePassword` | Whether to use password authentication | `false` |
| `redis-cluster.cluster.nodes` | Number of redis cluster master nodes | `3` |
| `redis-cluster.cluster.replicas` | Number of redis cluster master node replicas | `0` |
### Redis&reg;
Redis&reg; is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/redis) if enabled in the values.
Full configuration options are available on their website.
Redis and [Redis cluster](#redis-cluster) cannot be enabled at the same time.
| Name | Description | Value |
| ----------------------------- | ------------------------------------------ | ------------ |
| `redis.enabled` | Enable redis standalone or replicated | `false` |
| `redis.architecture` | Whether to use standalone or replication | `standalone` |
| `redis.global.redis.password` | Required password | `changeme` |
| `redis.master.count` | Number of Redis master instances to deploy | `1` |
### PostgreSQL HA
PostgreSQL HA is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql-ha) if enabled in the values.
Full configuration options are available on their website.
Complete Configuration can be taken from their website.
| Name | Description | Value |
| ------------------------------------------- | ---------------------------------------------------------------- | ----------- |
@ -1178,12 +1017,12 @@ Full configuration options are available on their website.
| `postgresql-ha.postgresql.postgresPassword` | postgres Password | `changeme1` |
| `postgresql-ha.pgpool.adminPassword` | pgpool adminPassword | `changeme3` |
| `postgresql-ha.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `5432` |
| `postgresql-ha.primary.persistence.size` | PVC Storage Request for PostgreSQL HA volume | `10Gi` |
| `postgresql-ha.primary.persistence.size` | PVC Storage Request for PostgreSQL-ha volume | `10Gi` |
### PostgreSQL
PostgreSQL is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) if enabled in the values.
Full configuration options are available on their website.
Complete Configuration can be taken from their website.
| Name | Description | Value |
| ------------------------------------------------------- | ---------------------------------------------------------------- | ------- |
@ -1198,11 +1037,11 @@ Full configuration options are available on their website.
| Name | Description | Value |
| ------------------ | ------------------------------------------------------------------ | --------- |
| `checkDeprecation` | Whether to run this basic validation check. | `true` |
| `test.enabled` | Whether to use test-connection Pod. | `true` |
| `checkDeprecation` | Set it to false to skip this basic validation check. | `true` |
| `test.enabled` | Set it to false to disable test-connection Pod. | `true` |
| `test.image.name` | Image name for the wget container used in the test-connection Pod. | `busybox` |
| `test.image.tag` | Image tag for the wget container used in the test-connection Pod. | `latest` |
| `extraDeploy` | Array of extra objects to deploy with the release. | `[]` |
| `extraDeploy` | Array of extra objects to deploy with the release | `[]` |
## Contributing
@ -1210,46 +1049,8 @@ Expected workflow is: Fork -> Patch -> Push -> Pull Request
See [CONTRIBUTORS GUIDE](CONTRIBUTING.md) for details.
Hop into [our Matrix room](https://matrix.to/#/#forgejo-helm-chart:matrix.org) if you have any questions or want to get involved.
## Upgrading
This section lists major and breaking changes of each Helm Chart version.
Please read them carefully to upgrade successfully, especially the change of the **default database backend**!
If you miss this, blindly upgrading may delete your Postgres instance and you may lose your data!
### To v11
PostgreSQL and PostgreSQL HA are now using PostgreSQL v17.
Please read PostgresSQL upgrade guide before upgrading.
You need Forgejo v10+ to use this Helm Chart version.
Forgejo v9 is now EOL.
ClusterIP is now emtpy instead of `None` for http and ssh service.
Unsupported api versions for `Ingress` and `PodDisruptionBudget` are removed.
`Ingress` and `Service` are now using named ports.
The ReadinessProbe is now using the `/api/healthz` endpoint.
### To v10
You need Forgejo v9+ to use this Helm Chart version.
Forgejo v8 is now EOL.
### To v9
Namespaces for all resources are now set to `common.names.namespace` by default.
### To v8
You need Forgejo v8+ to use this Helm Chart version.
Use the v7 Helm Chart for Forgejo v7.
### To v7
The Forgejo docker image is pulled from `code.forgejo.org` instead of `codeberg.org`.
### To v6
You need Forgejo v7+ to use this Helm Chart version.
Use the v5 Helm Chart for Forgejo v1.21.

2
artifacthub-repo.yml
View file

@ -2,7 +2,7 @@
# Artifact Hub repository metadata file
# https://artifacthub.io/docs/topics/repositories/helm-charts/#oci-support
# publish via:
# oras push code.forgejo.org/forgejo-helm/forgejo:artifacthub.io --config artifacthub.config.json:application/vnd.cncf.artifacthub.config.v1+yaml artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml
# oras push codeberg.org/forgejo-contrib/forgejo:artifacthub.io --config artifacthub.config.json:application/vnd.cncf.artifacthub.config.v1+yaml artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml
repositoryID: 'ec84c95a-a288-4aaa-a690-a656b57e3136'
owners: # (optional, used to claim repository ownership)
- name: viceice

20
ci/default-values.yaml
View file

@ -1,20 +0,0 @@
# default values with some modifications
# Use mirror
# https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
global:
security:
allowInsecureImages: true
redis-cluster:
image:
registry: public.ecr.aws
postgresql-ha:
postgresql:
image:
registry: public.ecr.aws
pgpool:
image:
registry: public.ecr.aws
test:
image:
name: code.forgejo.org/oci/busybox

1
ci/default.yml Normal file
View file

@ -0,0 +1 @@
# default values

11
ci/dev-values.yaml → ci/dev-values.yml
View file

@ -1,14 +1,7 @@
# Test codeberg.org image
image:
registry: codeberg.org
# Use mirror
# https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
test:
image:
name: code.forgejo.org/oci/busybox
redis-cluster:
enabled: false
postgresql:
enabled: false
postgresql-ha:
enabled: false

18
ci/single-values.yaml → ci/single-values.yml
View file

@ -1,23 +1,9 @@
redis-cluster:
enabled: false
postgresql-ha:
enabled: false
postgresql:
enabled: true
# Use mirror
# https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
image:
registry: public.ecr.aws
global:
security:
allowInsecureImages: true
# Use mirror
# https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
test:
image:
name: code.forgejo.org/oci/busybox
postgresql-ha:
enabled: false
persistence:
enabled: true

29
ci/v10-values.yaml
View file

@ -1,29 +0,0 @@
image:
registry: codeberg.org
repository: forgejo-experimental/forgejo
tag: 10 # don't pin, manifests can be missing
# Use mirror
# https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
test:
image:
name: code.forgejo.org/oci/busybox
redis-cluster:
enabled: false
postgresql-ha:
enabled: false
persistence:
enabled: false
gitea:
config:
database:
DB_TYPE: sqlite3
session:
PROVIDER: memory
cache:
ADAPTER: memory
queue:
TYPE: level

29
ci/v11-values.yaml
View file

@ -1,29 +0,0 @@
image:
registry: codeberg.org
repository: forgejo-experimental/forgejo
tag: 11 # don't pin, manifests can be missing
# Use mirror
# https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
test:
image:
name: code.forgejo.org/oci/busybox
redis-cluster:
enabled: false
postgresql-ha:
enabled: false
persistence:
enabled: false
gitea:
config:
database:
DB_TYPE: sqlite3
session:
PROVIDER: memory
cache:
ADAPTER: memory
queue:
TYPE: level

29
ci/v12-values.yaml
View file

@ -1,29 +0,0 @@
image:
registry: codeberg.org
repository: forgejo-experimental/forgejo
tag: 12 # don't pin, manifests can be missing
# Use mirror
# https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
test:
image:
name: code.forgejo.org/oci/busybox
redis-cluster:
enabled: false
postgresql-ha:
enabled: false
persistence:
enabled: false
gitea:
config:
database:
DB_TYPE: sqlite3
session:
PROVIDER: memory
cache:
ADAPTER: memory
queue:
TYPE: level

2358
package-lock.json generated Normal file
View file

File diff suppressed because it is too large Load diff

37
package.json
View file

@ -1,31 +1,30 @@
{
"name": "forgejo-helm-chart",
"homepage": "https://code.forgejo.org/forgejo-helm/forgejo-helm",
"homepage": "https://codeberg.org/forgejo-contrib/forgejo-helm.git",
"license": "MIT",
"private": true,
"engineStrict": true,
"engines": {
"node": ">=16.0.0",
"npm": ">=8.0.0"
},
"scripts": {
"changelog": "node tools/changelog.mjs",
"forgejo:release": "node tools/forgejo-release.js",
"prepare": "husky",
"prettier": "prettier --check --ignore-unknown --cache '**/*.*'",
"prettier-fix": "prettier --write --ignore-unknown --cache '**/*.*'",
"prepare": "husky install",
"prettier": "prettier --check --ignore-unknown --cache \"**/*.*\"",
"prettier-fix": "prettier --write --ignore-unknown --cache \"**/*.*\"",
"readme:lint": "markdownlint *.md -f",
"readme:parameters": "readme-generator -v values.yaml -r README.md",
"test": "helm unittest --strict -f 'unittests/**/*.yaml' ./"
"readme:parameters": "readme-generator -v values.yaml -r README.md"
},
"devDependencies": {
"@bitnami/readme-generator-for-helm": "2.7.0",
"clipanion": "3.2.1",
"conventional-changelog-conventionalcommits": "8.0.0",
"conventional-changelog-core": "9.0.0",
"husky": "9.1.7",
"lint-staged": "15.5.0",
"markdownlint-cli": "0.44.0",
"prettier": "3.5.3"
},
"packageManager": "pnpm@10.7.0",
"engines": {
"node": "^22.0.0",
"pnpm": "^10.0.0"
"@bitnami/readme-generator-for-helm": "^2.4.2",
"clipanion": "^3.2.1",
"conventional-changelog-conventionalcommits": "^7.0.0",
"conventional-changelog-core": "^7.0.0",
"husky": "^8.0.3",
"lint-staged": "^15.2.0",
"markdownlint-cli": "^0.38.0",
"prettier": "^3.1.0"
}
}

1578
pnpm-lock.yaml
View file

File diff suppressed because it is too large Load diff

113
renovate.json
View file

@ -1,24 +1,9 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"forgejo-contrib/forgejo-renovate//base.json",
"forgejo-helm/forgejo-helm//.forgejo/renovate/k3s.json"
],
"extends": ["forgejo-contrib/forgejo-renovate//base.json"],
"assignees": ["viceice"],
"baseBranches": ["main", "/^maint\\/.+/"],
"enabledManagers": ["helmv3", "npm", "regex", "github-actions"],
"packageRules": [
{
"description": "Separate multiple major sub chart updates",
"matchFileNames": ["Chart.yaml"],
"separateMultipleMajor": true
},
{
"description": "Require approval for major sub chart updates for maintenance branches",
"matchBaseBranches": ["/^maint\\/.+/"],
"matchUpdateTypes": ["major"],
"matchFileNames": ["Chart.yaml"],
"dependencyDashboardApproval": true
},
{
"matchManagers": ["helmv3"],
"matchUpdateTypes": ["minor", "patch"],
@ -30,74 +15,41 @@
"semanticCommitType": "feat"
},
{
"matchManagers": ["custom.regex"],
"matchManagers": ["regex"],
"matchDepNames": ["forgejo"],
"matchUpdateTypes": ["patch"],
"semanticCommitType": "fix"
},
{
"matchManagers": ["custom.regex"],
"matchManagers": ["regex"],
"matchDepNames": ["forgejo"],
"matchUpdateTypes": ["major", "minor"],
"semanticCommitType": "feat"
},
{
"description": "Automerge and group helm subchart updates weekly (minor & patch)",
"description": "Automerge patch deps updates",
"matchManagers": ["helmv3"],
"matchFileNames": ["Chart.yaml"],
"matchUpdateTypes": ["minor", "patch"],
"automerge": true,
"groupName": "subcharts",
"extends": ["schedule:weekly"]
"matchFiles": ["Chart.yaml"],
"matchUpdateTypes": ["patch"],
"automerge": true
},
{
"description": "Automerge dev deps updates",
"matchManagers": ["npm"],
"matchDepTypes": ["devDependencies"],
"matchUpdateTypes": ["minor", "patch"],
"automerge": true
},
{
"description": "Automerge node updates",
"matchManagers": ["nodenv"],
"matchUpdateTypes": ["minor", "patch"],
"automerge": true
"description": "Separate minor and patch updates for kindest",
"matchPackageNames": ["kindest/node"],
"separateMinorPatch": true
},
{
"description": "Automerge some updates",
"matchDepNames": ["pnpm", "helm-unittest"],
"matchUpdateTypes": ["minor", "patch"],
"automerge": true
},
{
"description": "Automerge digest updates",
"matchUpdateTypes": ["digest"],
"automerge": true
},
{
"description": "Use test scope for forgejo ci tests",
"matchFileNames": ["ci/*.yaml"],
"additionalBranchPrefix": "ci-forgejo-",
"semanticCommitType": "ci",
"semanticCommitScope": "forgejo",
"groupName": "experimental docker digests",
"extends": ["schedule:daily"]
},
{
"description": "Disable updates for forgejo ci tests",
"matchFileNames": ["ci/*.yaml"],
"matchUpdateTypes": ["major", "minor", "patch"],
"enabled": false
},
{
"description": "Don't pin digests for forgejo ci tests, not supported",
"matchFileNames": ["ci/*.yaml"],
"pinDigests": false
},
{
"description": "branch automerge not possible",
"automergeType": "pr",
"matchPackageNames": ["/.+/"]
"description": "Require approval and no automerge for kindest major and minor updates",
"matchPackageNames": ["kindest/node"],
"matchUpdateTypes": ["major", "minor"],
"dependencyDashboardApproval": true,
"automerge": false
}
],
"customManagers": [
@ -107,31 +59,38 @@
"fileMatch": ["^Chart\\.yaml$"],
"matchStrings": ["appVersion: (?<currentValue>.+?)\\s"],
"depNameTemplate": "forgejo",
"packageNameTemplate": "code.forgejo.org/forgejo/forgejo",
"packageNameTemplate": "codeberg.org/forgejo/forgejo",
"datasourceTemplate": "docker"
},
{
"description": "Detect helm-unittest yaml schema file",
"description": "Update helm unittest plugin",
"customType": "regex",
"fileMatch": [".vscode/settings\\.json$"],
"fileMatch": ["^\\.woodpecker/[a-z-]+\\.yml$"],
"matchStrings": [
"https://raw\\.githubusercontent\\.com/helm-unittest/helm-unittest/(?<currentValue>v[0-9.]+?)/schema/helm-testsuite\\.json"
"helm plugin install --version (?<currentValue>.+?) https://github.com/helm-unittest/helm-unittest\\s"
],
"depNameTemplate": "helm-unittest",
"packageNameTemplate": "helm-unittest/helm-unittest",
"datasourceTemplate": "github-releases"
},
{
"description": "Detect helm-unittest yaml schema file",
"customType": "regex",
"description": "Update k3s kubernetes references",
"fileMatch": ["^\\.forgejo/workflows/[^/]+\\.ya?ml$"],
"matchStrings": [" +- (?<currentValue>.+?) # renovate: k3s\\n"],
"depNameTemplate": "k3s",
"packageNameTemplate": "k3s-io/k3s",
"fileMatch": [".vscode/settings\\.json$"],
"matchStrings": [
"https:\\/\\/raw\\.githubusercontent\\.com\\/(?<depName>[^\\s]+?)\\/(?<currentValue>v[0-9.]+?)\\/schema\\/helm-testsuite\\.json"
],
"datasourceTemplate": "github-releases"
},
{
"customType": "regex",
"description": "Update kindest kubernetes references",
"fileMatch": ["^\\.forgejo\\/workflows\\/[^/]+\\.ya?ml$"],
"matchStrings": [
" +- (?<currentValue>v\\d+\\.\\d+\\.\\d+) # renovate: kindest\\n"
],
"depNameTemplate": "kindest/node",
"datasourceTemplate": "docker"
}
],
"helm-values": {
"fileMatch": ["^ci/.+\\.yaml$"]
}
]
}

16
templates/NOTES.txt
View file

@ -18,19 +18,3 @@
echo "Visit http://127.0.0.1:{{ .Values.service.http.port }} to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward svc/{{ .Release.Name }}-http {{ .Values.service.http.port }}:{{ .Values.service.http.port }}
{{- end }}
{{- $warnings := list -}}
{{- if eq (get .Values.gitea.config.cache "ADAPTER") "memory" -}}
{{- $warnings = append $warnings "Forgejo uses 'memory' for caching which is not recommended for production use. See https://forgejo.org/docs/latest/admin/config-cheat-sheet/#cache-cache for available options." -}}
{{- end }}
{{- if eq (get .Values.gitea.config.queue "TYPE") "level" -}}
{{- $warnings = append $warnings "Forgejo uses 'leveldb' for queue actions which is not recommended for production use. See https://forgejo.org/docs/latest/admin/config-cheat-sheet/#queue-queue-and-queue for available options." -}}
{{- end }}
{{- if eq (get .Values.gitea.config.session "PROVIDER") "memory" -}}
{{- $warnings = append $warnings "Forgejo uses 'memory' for sessions which is not recommended for production use. See https://forgejo.org/docs/latest/admin/config-cheat-sheet/#session-session for available options." -}}
{{- end }}
{{- if gt (len $warnings) 0 }}
2. Review these warnings:
{{- range $warnings }}
- {{ . }}
{{- end }}
{{- end }}

90
templates/_helpers.tpl
View file

@ -3,6 +3,26 @@
Expand the name of the chart.
*/}}
{{- /* multiple replicas assertions */ -}}
{{- if gt .Values.replicaCount 1.0 -}}
{{- fail "When using multiple replicas, a RWX file system is required" -}}
{{- if eq (get (.Values.persistence.accessModes 0) "ReadWriteOnce") -}}
{{- fail "When using multiple replicas, a RWX file system is required" -}}
{{- end }}
{{- if eq (get .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE") "bleve" -}}
{{- fail "When using multiple replicas, the repo indexer must be set to 'meilisearch' or 'elasticsearch'" -}}
{{- end }}
{{- if and (eq .Values.gitea.config.indexer.REPO_INDEXER_TYPE "bleve") (eq .Values.gitea.config.indexer.REPO_INDEXER_ENABLED "true") -}}
{{- fail "When using multiple replicas, the repo indexer must be set to 'meilisearch' or 'elasticsearch'" -}}
{{- end }}
{{- if eq .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE "bleve" -}}
{{- (printf "DEBUG: When using multiple replicas, the repo indexer must be set to 'meilisearch' or 'elasticsearch'") | fail -}}
{{- end }}
{{- end }}
{{- define "gitea.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
@ -32,14 +52,6 @@ Create chart name and version as used by the chart label.
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Get version from .Values.image.tag or Chart.AppVersion.
Trim optional docker digest.
*/}}
{{- define "gitea.version" -}}
{{- regexReplaceAll "@.+" (.Values.image.tag | default .Chart.AppVersion | toString) "" -}}
{{- end -}}
{{/*
Create image name and tag used by the deployment.
*/}}
@ -48,7 +60,7 @@ Create image name and tag used by the deployment.
{{- $registry := .Values.global.imageRegistry | default .Values.image.registry -}}
{{- $repository := .Values.image.repository -}}
{{- $separator := ":" -}}
{{- $tag := .Values.image.tag | default .Chart.AppVersion | toString -}}
{{- $tag := .Values.image.tag | default .Chart.AppVersion -}}
{{- $rootless := ternary "-rootless" "" (.Values.image.rootless) -}}
{{- $digest := "" -}}
{{- if .Values.image.digest }}
@ -82,7 +94,7 @@ imagePullSecrets:
Storage Class
*/}}
{{- define "gitea.persistence.storageClass" -}}
{{- $storageClass := (tpl ( default "" .Values.persistence.storageClass) .) | default (tpl ( default "" .Values.global.storageClass) .) }}
{{- $storageClass := .Values.global.storageClass | default .Values.persistence.storageClass }}
{{- if $storageClass }}
storageClassName: {{ $storageClass | quote }}
{{- end }}
@ -95,8 +107,8 @@ Common labels
helm.sh/chart: {{ include "gitea.chart" . }}
app: {{ include "gitea.name" . }}
{{ include "gitea.selectorLabels" . }}
app.kubernetes.io/version: {{ include "gitea.version" . | quote }}
version: {{ include "gitea.version" . | quote }}
app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
@ -121,28 +133,20 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{- define "redis.dns" -}}
{{- if and ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}}
{{- fail "redis and redis-cluster cannot be enabled at the same time. Please only choose one." -}}
{{- else if (index .Values "redis-cluster").enabled -}}
{{- if (index .Values "redis-cluster").enabled -}}
{{- printf "redis+cluster://:%s@%s-redis-cluster-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "redis-cluster").global.redis.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "redis-cluster").service.ports.redis -}}
{{- else if (index .Values "redis").enabled -}}
{{- printf "redis://:%s@%s-redis-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "redis").global.redis.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "redis").master.service.ports.redis -}}
{{- end -}}
{{- end -}}
{{- define "redis.port" -}}
{{- if (index .Values "redis-cluster").enabled -}}
{{ (index .Values "redis-cluster").service.ports.redis }}
{{- else if (index .Values "redis").enabled -}}
{{ (index .Values "redis").master.service.ports.redis }}
{{- end -}}
{{- end -}}
{{- define "redis.servicename" -}}
{{- if (index .Values "redis-cluster").enabled -}}
{{- printf "%s-redis-cluster-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
{{- else if (index .Values "redis").enabled -}}
{{- printf "%s-redis-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
{{- end -}}
{{- end -}}
@ -224,7 +228,7 @@ https
{{- $_ := set $inlines $key (join "\n" $section) -}}
{{- end -}}
{{- else }}
{{- if or (eq $key "APP_NAME") (eq $key "RUN_USER") (eq $key "RUN_MODE") (eq $key "APP_SLOGAN") (eq $key "APP_DISPLAY_NAME_FORMAT") -}}
{{- if or (eq $key "APP_NAME") (eq $key "RUN_USER") (eq $key "RUN_MODE") -}}
{{- $generals = append $generals (printf "%s=%s" $key $value) -}}
{{- else -}}
{{- (printf "Key %s cannot be on top level of configuration" $key) | fail -}}
@ -286,33 +290,23 @@ https
{{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}}
{{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
{{- end -}}
{{- if (index .Values "redis-cluster").enabled -}}
{{- $_ := set .Values.gitea.config.cache "ENABLED" "true" -}}
{{- $_ := set .Values.gitea.config.cache "ADAPTER" "redis" -}}
{{- if not (.Values.gitea.config.cache.HOST) -}}
{{- $_ := set .Values.gitea.config.cache "HOST" (include "redis.dns" .) -}}
{{- end -}}
{{- end -}}
{{- /* redis queue */ -}}
{{- if or ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}}
{{- if (index .Values "redis-cluster").enabled -}}
{{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}}
{{- $_ := set .Values.gitea.config.queue "CONN_STR" (include "redis.dns" .) -}}
{{- end -}}
{{- if not (get .Values.gitea.config.session "PROVIDER") -}}
{{- $_ := set .Values.gitea.config.session "PROVIDER" "redis" -}}
{{- end -}}
{{- if not (get .Values.gitea.config.session "PROVIDER_CONFIG") -}}
{{- $_ := set .Values.gitea.config.session "PROVIDER_CONFIG" (include "redis.dns" .) -}}
{{- $_ := set .Values.gitea.config.cache "ADAPTER" "redis" -}}
{{- $_ := set .Values.gitea.config.cache "HOST" (include "redis.dns" .) -}}
{{- else -}}
{{- if not (get .Values.gitea.config.session "PROVIDER") -}}
{{- $_ := set .Values.gitea.config.session "PROVIDER" "memory" -}}
{{- end -}}
{{- if not (get .Values.gitea.config.session "PROVIDER_CONFIG") -}}
{{- $_ := set .Values.gitea.config.session "PROVIDER_CONFIG" "" -}}
{{- end -}}
{{- if not (get .Values.gitea.config.queue "TYPE") -}}
{{- $_ := set .Values.gitea.config.queue "TYPE" "level" -}}
{{- end -}}
{{- if not (get .Values.gitea.config.queue "CONN_STR") -}}
{{- $_ := set .Values.gitea.config.queue "CONN_STR" "" -}}
{{- end -}}
{{- if not (get .Values.gitea.config.cache "ADAPTER") -}}
{{- $_ := set .Values.gitea.config.cache "ADAPTER" "memory" -}}
{{- end -}}
{{- if not (get .Values.gitea.config.cache "HOST") -}}
{{- $_ := set .Values.gitea.config.cache "HOST" "" -}}
{{- end -}}
{{- end -}}
{{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}}
{{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}}
@ -408,11 +402,3 @@ https
{{- define "gitea.serviceAccountName" -}}
{{ .Values.serviceAccount.name | default (include "gitea.fullname" .) }}
{{- end -}}
{{- define "gitea.admin.passwordMode" -}}
{{- if has .Values.gitea.admin.passwordMode (tuple "keepUpdated" "initialOnlyNoReset" "initialOnlyRequireReset") -}}
{{ .Values.gitea.admin.passwordMode }}
{{- else -}}
{{ printf "gitea.admin.passwordMode must be set to one of 'keepUpdated', 'initialOnlyNoReset', or 'initialOnlyRequireReset'. Received: '%s'" .Values.gitea.admin.passwordMode | fail }}
{{- end -}}
{{- end -}}

75
templates/gitea/config.yaml
View file

@ -2,7 +2,6 @@ apiVersion: v1
kind: Secret
metadata:
name: {{ include "gitea.fullname" . }}-inline-config
namespace: {{ include "common.names.namespace" . | quote }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
type: Opaque
@ -19,40 +18,35 @@ type: Opaque
stringData:
assertions: |
{{- /*assert that only one PG dep is enabled */ -}}
{{- if and (.Values.postgresql.enabled) (index .Values "postgresql-ha" "enabled") -}}
{{- fail "Only one of postgresql or postgresql-ha can be enabled at the same time." -}}
{{- end }}
{{- /* multiple replicas assertions */ -}}
{{- if gt .Values.replicaCount 1.0 -}}
{{- if .Values.gitea.config.cron -}}
{{- if .Values.gitea.config.cron.GIT_GC_REPOS -}}
{{- if eq .Values.gitea.config.cron.GIT_GC_REPOS.ENABLED true -}}
{{ fail "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'cron.GIT_GC_REPOS.enabled = false'." }}
{{- end }}
{{- end }}
{{- end }}
{{- if eq (first .Values.persistence.accessModes) "ReadWriteOnce" -}}
{{- fail "When using multiple replicas, a RWX file system is required and gitea.persistence.accessModes[0] must be set to ReadWriteMany." -}}
{{- end }}
{{- if .Values.gitea.config.indexer -}}
{{- if eq .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE "bleve" -}}
{{- fail "When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)." -}}
{{- end }}
{{- if .Values.gitea.config.indexer.REPO_INDEXER_TYPE -}}
{{- if eq .Values.gitea.config.indexer.REPO_INDEXER_TYPE "bleve" -}}
{{- if .Values.gitea.config.indexer.REPO_INDEXER_ENABLED -}}
{{- if eq .Values.gitea.config.indexer.REPO_INDEXER_ENABLED true -}}
{{- fail "When using multiple replicas, the repo indexer (gitea.config.indexer.REPO_INDEXER_TYPE) must be set to 'meilisearch' or 'elasticsearch' or disabled." -}}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- /*assert that only one PG dep is enabled */ -}}
{{- if and (.Values.postgresql.enabled) (index .Values "postgresql-ha" "enabled") -}}
{{- fail "Only one of postgresql or postgresql-ha can be enabled at the same time." -}}
{{- end }}
{{- /* multiple replicas assertions */ -}}
{{- if gt .Values.replicaCount 1.0 -}}
{{- if (get (get .Values.gitea.config "cron.GIT_GC_REPOS") "ENABLED") -}}
{{- fail "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'cron.GIT_GC_REPOS.enabled = false'." -}}
{{- end }}
{{- if eq (first .Values.persistence.accessModes) "ReadWriteOnce" -}}
{{- fail "When using multiple replicas, a RWX file system is required and gitea.persistence.accessModes[0] must be set to ReadWriteMany." -}}
{{- end }}
{{- if eq (get .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE") "bleve" -}}
{{- fail "When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)." -}}
{{- end }}
{{- if .Values.gitea.config.indexer.REPO_INDEXER_TYPE -}}
{{- if eq (get .Values.gitea.config.indexer "REPO_INDEXER_TYPE") "bleve" -}}
{{- if .Values.gitea.config.indexer.REPO_INDEXER_ENABLED -}}
{{- if eq (get .Values.gitea.config.indexer "REPO_INDEXER_ENABLED") "true" -}}
{{- fail "When using multiple replicas, the repo indexer (gitea.config.indexer.REPO_INDEXER_TYPE) must be set to 'meilisearch' or 'elasticsearch' or disabled." -}}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
config_environment.sh: |-
#!/usr/bin/env bash
set -euo pipefail
@ -69,7 +63,7 @@ stringData:
# skip empty line
return
fi
# 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)"
@ -89,18 +83,15 @@ stringData:
env2ini::log " + '${setting}'"
local masked_setting="${setting//./_0X2E_}" # '//' instructs to replace all matches
masked_setting="${masked_setting//-/_0X2D_}"
if [[ -z "${section}" ]]; then
export "FORGEJO____${masked_setting^^}=${value}" # '^^' makes the variable content uppercase
export "FORGEJO____${setting^^}=${value}" # '^^' makes the variable content uppercase
return
fi
local masked_section="${section//./_0X2E_}" # '//' instructs to replace all matches
masked_section="${masked_section//-/_0X2D_}"
export "FORGEJO__${masked_section^^}__${masked_setting^^}=${value}" # '^^' makes the variable content uppercase
export "FORGEJO__${masked_section^^}__${setting^^}=${value}" # '^^' makes the variable content uppercase
}
function env2ini::reload_preset_envs() {
@ -182,10 +173,8 @@ stringData:
env2ini::log "...Initial secrets generated\n"
}
# save existing envs prior to script execution. Necessary to keep order of
# preexisting and custom envs
env | (grep -e '^FORGEJO__' || [[ $? == 1 ]]) > /tmp/existing-envs
env | (grep FORGEJO || [[ $? == 1 ]]) > /tmp/existing-envs
# MUST BE CALLED BEFORE OTHER CONFIGURATION
env2ini::generate_initial_secrets

22
templates/gitea/deployment.yaml
View file

@ -2,16 +2,12 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "gitea.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
annotations:
{{- if .Values.deployment.annotations }}
{{- toYaml .Values.deployment.annotations | nindent 4 }}
{{- end }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
{{- if .Values.deployment.labels }}
{{- toYaml .Values.deployment.labels | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicaCount }}
strategy:
@ -57,7 +53,7 @@ spec:
{{- end }}
{{- include "gitea.images.pullSecrets" . | nindent 6 }}
securityContext:
{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }}
{{- toYaml .Values.podSecurityContext | nindent 8 }}
initContainers:
- name: init-directories
image: "{{ include "gitea.image" . }}"
@ -91,7 +87,7 @@ spec:
{{- end }}
{{- include "gitea.init-additional-mounts" . | nindent 12 }}
securityContext:
{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
{{- toYaml .Values.containerSecurityContext | nindent 12 }}
resources:
{{- toYaml .Values.initContainers.resources | nindent 12 }}
- name: init-app-ini
@ -131,7 +127,7 @@ spec:
{{- end }}
{{- include "gitea.init-additional-mounts" . | nindent 12 }}
securityContext:
{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
{{- toYaml .Values.containerSecurityContext | nindent 12 }}
resources:
{{- toYaml .Values.initContainers.resources | nindent 12 }}
{{- if .Values.signing.enabled }}
@ -145,7 +141,7 @@ spec:
{{- if not (hasKey $csc "runAsUser") -}}
{{- $_ := set $csc "runAsUser" 1000 -}}
{{- end -}}
{{- include "common.compatibility.renderSecurityContext" (dict "secContext" $csc "context" $) | nindent 12 }}
{{- toYaml $csc | nindent 12 }}
env:
- name: GNUPGHOME
value: {{ .Values.signing.gpgHome }}
@ -176,7 +172,7 @@ spec:
{{- if not (hasKey $csc "runAsUser") -}}
{{- $_ := set $csc "runAsUser" 1000 -}}
{{- end -}}
{{- include "common.compatibility.renderSecurityContext" (dict "secContext" $csc "context" $) | nindent 12 }}
{{- toYaml $csc | nindent 12 }}
env:
- name: GITEA_APP_INI
value: /data/gitea/conf/app.ini
@ -244,8 +240,6 @@ spec:
- name: GITEA_ADMIN_PASSWORD
value: {{ .Values.gitea.admin.password | quote }}
{{- end }}
- name: GITEA_ADMIN_PASSWORD_MODE
value: {{ include "gitea.admin.passwordMode" $ }}
{{- if .Values.deployment.env }}
{{- toYaml .Values.deployment.env | nindent 12 }}
{{- end }}
@ -327,9 +321,9 @@ spec:
securityContext:
{{- /* Honor the deprecated securityContext variable when defined */ -}}
{{- if .Values.containerSecurityContext -}}
{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
{{ toYaml .Values.containerSecurityContext | nindent 12 -}}
{{- else -}}
{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.securityContext "context" $) | nindent 12 }}
{{ toYaml .Values.securityContext | nindent 12 -}}
{{- end }}
volumeMounts:
- name: temp
@ -353,7 +347,7 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.topologySpreadConstraints }}
topologySpreadConstraints:
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}

1
templates/gitea/gpg-secret.yaml
View file

@ -7,7 +7,6 @@ apiVersion: v1
kind: Secret
metadata:
name: {{ include "gitea.gpg-key-secret-name" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
type: Opaque

13
templates/gitea/http-svc.yaml
View file

@ -2,21 +2,13 @@ apiVersion: v1
kind: Service
metadata:
name: {{ include "gitea.fullname" . }}-http
namespace: {{ include "common.names.namespace" . | quote }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
{{- if .Values.service.http.labels }}
{{- toYaml .Values.service.http.labels | nindent 4 }}
{{- end }}
annotations:
{{- toYaml .Values.service.http.annotations | nindent 4 }}
spec:
type: {{ .Values.service.http.type }}
{{- if eq .Values.service.http.type "LoadBalancer" }}
{{- if .Values.service.http.loadBalancerClass }}
loadBalancerClass: {{ .Values.service.http.loadBalancerClass }}
{{- end }}
{{- if and .Values.service.http.loadBalancerIP }}
{{- if and .Values.service.http.loadBalancerIP (eq .Values.service.http.type "LoadBalancer") }}
loadBalancerIP: {{ .Values.service.http.loadBalancerIP }}
{{- end }}
{{- if .Values.service.http.loadBalancerSourceRanges }}
@ -25,7 +17,6 @@ spec:
- {{ . }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.service.http.externalIPs }}
externalIPs:
{{- toYaml .Values.service.http.externalIPs | nindent 4 }}
@ -49,6 +40,6 @@ spec:
{{- if .Values.service.http.nodePort }}
nodePort: {{ .Values.service.http.nodePort }}
{{- end }}
targetPort: http
targetPort: {{ .Values.gitea.config.server.HTTP_PORT }}
selector:
{{- include "gitea.selectorLabels" . | nindent 4 }}

23
templates/gitea/ingress.yaml
View file

@ -1,10 +1,18 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "gitea.fullname" . -}}
apiVersion: networking.k8s.io/v1
{{- $httpPort := .Values.service.http.port -}}
{{- $apiVersion := "extensions/v1beta1" -}}
{{- if .Values.ingress.apiVersion -}}
{{- $apiVersion = .Values.ingress.apiVersion -}}
{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}}
{{- $apiVersion = "networking.k8s.io/v1" }}
{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" -}}
{{- $apiVersion = "networking.k8s.io/v1beta1" }}
{{- end }}
apiVersion: {{ $apiVersion }}
kind: Ingress
metadata:
name: {{ $fullName }}
namespace: {{ include "common.names.namespace" . | quote }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
annotations:
@ -13,7 +21,7 @@ metadata:
{{- end }}
spec:
{{- if .Values.ingress.className }}
ingressClassName: {{ tpl .Values.ingress.className . }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
@ -32,14 +40,19 @@ spec:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if .pathType }}
{{- if and .pathType (eq $apiVersion "networking.k8s.io/v1") }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if eq $apiVersion "networking.k8s.io/v1" }}
service:
name: {{ $fullName }}-http
port:
name: http
number: {{ $httpPort }}
{{- else }}
serviceName: {{ $fullName }}-http
servicePort: {{ $httpPort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

91
templates/gitea/init.yaml
View file

@ -2,7 +2,6 @@ apiVersion: v1
kind: Secret
metadata:
name: {{ include "gitea.fullname" . }}-init
namespace: {{ include "common.names.namespace" . | quote }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
type: Opaque
@ -87,49 +86,15 @@ stringData:
{{- if or .Values.gitea.admin.existingSecret (and .Values.gitea.admin.username .Values.gitea.admin.password) }}
function configure_admin_user() {
local full_admin_list=$(gitea admin user list --admin)
local actual_user_table=''
# We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line
local regex="(.*)(ID\s+Username\s+Email\s+IsActive.*)"
if [[ "${full_admin_list}" =~ $regex ]]; then
actual_user_table=$(echo "${BASH_REMATCH[2]}" | tail -n+2) # tail'ing to drop the table headline
else
# This code block should never be reached, as long as the output table header remains the same.
# If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script.
echo "ERROR: 'configure_admin_user' was not able to determine the current list of admin users."
echo " Please review the output of 'gitea admin user list --admin' shown below."
echo " If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-chart/issues."
echo "DEBUG: Output of 'gitea admin user list --admin'"
echo "--"
echo "${full_admin_list}"
echo "--"
exit 1
fi
local ACCOUNT_ID=$(echo "${actual_user_table}" | grep -E "\s+${GITEA_ADMIN_USERNAME}\s+" | awk -F " " "{printf \$1}")
local ACCOUNT_ID=$(gitea admin user list --admin | grep -e "\s\+${GITEA_ADMIN_USERNAME}\s\+" | awk -F " " "{printf \$1}")
if [[ -z "${ACCOUNT_ID}" ]]; then
local -a create_args
create_args=(--admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }})
if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = initialOnlyRequireReset ]]; then
create_args+=(--must-change-password=true)
else
create_args+=(--must-change-password=false)
fi
echo "No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now..."
gitea admin user create "${create_args[@]}"
gitea admin user create --admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }} --must-change-password=false
echo '...created.'
else
if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = keepUpdated ]]; then
echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
local -a change_args
change_args=(--username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --must-change-password=false)
gitea admin user change-password "${change_args[@]}"
echo '...password sync done.'
else
echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist, but update mode is set to '${GITEA_ADMIN_PASSWORD_MODE}'. Skipping."
fi
echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
gitea admin user change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}"
echo '...password sync done.'
fi
}
@ -140,28 +105,7 @@ stringData:
{{- if .Values.gitea.ldap }}
{{- range $idx, $value := .Values.gitea.ldap }}
local LDAP_NAME={{ (printf "%s" $value.name) | squote }}
local full_auth_list=$(gitea admin auth list --vertical-bars)
local actual_auth_table=''
# We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line
local regex="(.*)(ID\s+\|Name\s+\|Type\s+\|Enabled.*)"
if [[ "${full_auth_list}" =~ $regex ]]; then
actual_auth_table=$(echo "${BASH_REMATCH[2]}" | tail -n+2) # tail'ing to drop the table headline
else
# This code block should never be reached, as long as the output table header remains the same.
# If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script.
echo "ERROR: 'configure_ldap' was not able to determine the current list of authentication sources."
echo " Please review the output of 'gitea admin auth list --vertical-bars' shown below."
echo " If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-chart/issues."
echo "DEBUG: Output of 'gitea admin auth list --vertical-bars'"
echo "--"
echo "${full_auth_list}"
echo "--"
exit 1
fi
local GITEA_AUTH_ID=$(echo "${actual_auth_table}" | grep -E "\|${LDAP_NAME}\s+\|" | grep -iE '\|LDAP \(via BindDN\)\s+\|' | awk -F " " "{print \$1}")
local GITEA_AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${LDAP_NAME}\s+\|" | grep -iE '\|LDAP \(via BindDN\)\s+\|' | awk -F " " "{print \$1}")
if [[ -z "${GITEA_AUTH_ID}" ]]; then
echo "No ldap configuration found with name '${LDAP_NAME}'. Installing it now..."
@ -184,28 +128,7 @@ stringData:
{{- if .Values.gitea.oauth }}
{{- range $idx, $value := .Values.gitea.oauth }}
local OAUTH_NAME={{ (printf "%s" $value.name) | squote }}
local full_auth_list=$(gitea admin auth list --vertical-bars)
local actual_auth_table=''
# We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line
local regex="(.*)(ID\s+\|Name\s+\|Type\s+\|Enabled.*)"
if [[ "${full_auth_list}" =~ $regex ]]; then
actual_auth_table=$(echo "${BASH_REMATCH[2]}" | tail -n+2) # tail'ing to drop the table headline
else
# This code block should never be reached, as long as the output table header remains the same.
# If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script.
echo "ERROR: 'configure_oauth' was not able to determine the current list of authentication sources."
echo " Please review the output of 'gitea admin auth list --vertical-bars' shown below."
echo " If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-chart/issues."
echo "DEBUG: Output of 'gitea admin auth list --vertical-bars'"
echo "--"
echo "${full_auth_list}"
echo "--"
exit 1
fi
local AUTH_ID=$(echo "${actual_auth_table}" | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " " "{print \$1}")
local AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " " "{print \$1}")
if [[ -z "${AUTH_ID}" ]]; then
echo "No oauth configuration found with name '${OAUTH_NAME}'. Installing it now..."

7
templates/gitea/poddisruptionbudget.yaml
View file

@ -1,9 +1,12 @@
{{- if .Values.podDisruptionBudget -}}
{{- if .Capabilities.APIVersions.Has "policy/v1" }}
apiVersion: policy/v1
{{- else }}
apiVersion: policy/v1beta1
{{- end }}
kind: PodDisruptionBudget
metadata:
name: {{ include "gitea.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
spec:
@ -11,4 +14,4 @@ spec:
matchLabels:
{{- include "gitea.selectorLabels" . | nindent 6 }}
{{- toYaml .Values.podDisruptionBudget | nindent 2 }}
{{- end -}}
{{- end -}}

12
templates/gitea/pvc.yaml
View file

@ -3,13 +3,9 @@ kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ .Values.persistence.claimName }}
namespace: {{ include "common.names.namespace" . | quote }}
namespace: {{ $.Release.Namespace }}
annotations:
{{ .Values.persistence.annotations | toYaml | indent 4}}
{{- if .Values.persistence.labels }}
labels:
{{ .Values.persistence.labels | toYaml | indent 4}}
{{- end }}
spec:
accessModes:
{{- if gt .Values.replicaCount 1.0 }}
@ -18,11 +14,13 @@ spec:
{{- .Values.persistence.accessModes | toYaml | nindent 4 }}
{{- end }}
volumeMode: Filesystem
{{- include "gitea.persistence.storageClass" . | nindent 2 }}
{{- if .Values.persistence.storageClass }}
storageClassName: {{ .Values.persistence.storageClass }}
{{- end }}
{{- with .Values.persistence.volumeName }}
volumeName: {{ . }}
{{- end }}
resources:
requests:
storage: {{ .Values.persistence.size }}
{{- end }}
{{- end }}

43
templates/gitea/route.yaml
View file

@ -1,43 +0,0 @@
{{- if .Values.route.enabled -}}
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: {{ include "gitea.fullname" . }}-http
namespace: {{ include "common.names.namespace" . | quote }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
annotations:
{{- toYaml .Values.route.annotations | nindent 4 }}
spec:
{{- if .Values.route.host }}
host: {{ tpl .Values.route.host $ | quote }}
{{- end }}
{{- if .Values.route.wildcardPolicy }}
wildcardPolicy: {{ .Values.route.wildcardPolicy }}
{{- end }}
to:
kind: Service
name: {{ include "gitea.fullname" . }}-http
weight: 100
port:
targetPort: http
tls:
termination: edge
insecureEdgeTerminationPolicy: Redirect
{{- if .Values.route.tls.existingSecret }}
externalCertificate: {{ .Values.route.tls.existingSecret }}
{{- else if and .Values.route.tls.certificate
.Values.route.tls.privateKey
.Values.route.tls.caCertificate }}
certificate: |
{{ .Values.route.tls.certificate | indent 6 }}
key: |
{{ .Values.route.tls.privateKey | indent 6 }}
caCertificate: |
{{ .Values.route.tls.caCertificate | indent 6 }}
{{- else if or .Values.route.tls.certificate
.Values.route.tls.privateKey
.Values.route.tls.caCertificate }}
{{- fail "certificate, privateKey and caCertificate must be specified together" }}
{{- end }}
{{- end }}

2
templates/gitea/serviceaccount.yaml
View file

@ -3,7 +3,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "gitea.serviceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.labels }}

3
templates/gitea/servicemonitor.yaml
View file

@ -3,7 +3,6 @@ apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "gitea.fullname" . }}
namespace: {{ default (include "common.names.namespace" .) .Values.gitea.metrics.serviceMonitor.namespace | quote }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
{{- if .Values.gitea.metrics.serviceMonitor.additionalLabels }}
@ -15,4 +14,4 @@ spec:
{{- include "gitea.selectorLabels" . | nindent 6 }}
endpoints:
- port: http
{{- end -}}
{{- end -}}

9
templates/gitea/ssh-svc.yaml
View file

@ -2,20 +2,13 @@ apiVersion: v1
kind: Service
metadata:
name: {{ include "gitea.fullname" . }}-ssh
namespace: {{ include "common.names.namespace" . | quote }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
{{- if .Values.service.ssh.labels }}
{{- toYaml .Values.service.ssh.labels | nindent 4 }}
{{- end }}
annotations:
{{- toYaml .Values.service.ssh.annotations | nindent 4 }}
spec:
type: {{ .Values.service.ssh.type }}
{{- if eq .Values.service.ssh.type "LoadBalancer" }}
{{- if .Values.service.ssh.loadBalancerClass }}
loadBalancerClass: {{ .Values.service.ssh.loadBalancerClass }}
{{- end }}
{{- if .Values.service.ssh.loadBalancerIP }}
loadBalancerIP: {{ .Values.service.ssh.loadBalancerIP }}
{{- end -}}
@ -47,7 +40,7 @@ spec:
- name: ssh
port: {{ .Values.service.ssh.port }}
{{- if .Values.gitea.config.server.SSH_LISTEN_PORT }}
targetPort: ssh
targetPort: {{ .Values.gitea.config.server.SSH_LISTEN_PORT }}
{{- end }}
protocol: TCP
{{- if .Values.service.ssh.nodePort }}

2
templates/tests/test-http-connection.yaml
View file

@ -6,7 +6,7 @@ metadata:
labels:
{{ include "gitea.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
"helm.sh/hook": test-success
spec:
containers:
- name: wget

77
tools/changelog.mjs
View file

@ -1,12 +1,71 @@
import { getChangelog } from './changelog/util.js';
import conventionalChangelogCore from 'conventional-changelog-core';
import conventionalChangelogPreset from 'conventional-changelog-conventionalcommits';
import fs from 'node:fs';
const stream = getChangelog(!!process.argv[2]).setEncoding('utf8');
const config = conventionalChangelogPreset({
types: [
{
type: 'feat',
section: 'Features',
},
{
type: 'feature',
section: 'Features',
},
{
type: 'fix',
section: 'Bug Fixes',
},
{
type: 'perf',
section: 'Performance Improvements',
},
{
type: 'revert',
section: 'Reverts',
},
{
type: 'docs',
section: 'Documentation',
},
{
type: 'style',
section: 'Styles',
},
{
type: 'chore',
section: 'Miscellaneous Chores',
},
{
type: 'refactor',
section: 'Code Refactoring',
},
{
type: 'test',
section: 'Tests',
},
{
type: 'build',
section: 'Build System',
},
{
type: 'ci',
section: 'Continuous Integration',
},
],
});
const changes = (await stream.toArray()).join('');
const file = process.argv[3]
? fs.createWriteStream(process.argv[3])
: process.stdout;
if (!changes.length) {
console.error('No changelog found');
process.exit(1);
}
process.stdout.write(changes);
conventionalChangelogCore(
{
config,
releaseCount: 2,
},
{ version: process.argv[2], linkCompare: false },
undefined,
undefined,
{ headerPartial: '' },
).pipe(file);

19
tools/changelog/util.js
View file

@ -11,6 +11,10 @@ export const config = conventionalChangelogPreset({
type: 'feat',
section: 'Features',
},
{
type: 'feature',
section: 'Features',
},
{
type: 'fix',
section: 'Bug Fixes',
@ -31,6 +35,10 @@ export const config = conventionalChangelogPreset({
type: 'style',
section: 'Styles',
},
{
type: 'chore',
section: 'Miscellaneous Chores',
},
{
type: 'refactor',
section: 'Code Refactoring',
@ -47,25 +55,22 @@ export const config = conventionalChangelogPreset({
type: 'ci',
section: 'Continuous Integration',
},
{
type: 'chore',
section: 'Miscellaneous Chores',
},
],
});
/**
*
* @param {boolean|undefined} onTag
* @param {string} version
* @param {boolean} onTag
* @returns
*/
export function getChangelog(onTag = false) {
export function getChangelog(version, onTag) {
return conventionalChangelogCore(
{
config,
releaseCount: onTag ? 2 : 1,
},
undefined,
{ version, linkCompare: false },
undefined,
undefined,
{ headerPartial: '' },

3
tools/ct.yml
View file

@ -1,5 +1,4 @@
# https://github.com/helm/chart-testing/blob/main/doc/ct_install.md
helm-extra-args: --timeout 3m
helm-extra-args: --timeout 600s
check-version-increment: false
debug: true
target-branch: main

2
tools/forgejo-release.js
View file

@ -68,7 +68,7 @@ class GiteaReleaseCommand extends Command {
return 1;
}
const stream = getChangelog(true).setEncoding('utf8');
const stream = getChangelog(tag, true).setEncoding('utf8');
const changes = (await stream.toArray()).join('');
this.context.stdout.write(`Creating release ${tag}.\n`);

66
unittests/config/cache-config.yaml
View file

@ -1,66 +0,0 @@
suite: config template | cache config
release:
name: gitea-unittests
namespace: testing
tests:
- it: 'cache is configured correctly for redis-cluster'
template: templates/gitea/config.yaml
set:
redis-cluster:
enabled: true
redis:
enabled: false
asserts:
- documentIndex: 0
equal:
path: stringData.cache
value: |-
ADAPTER=redis
HOST=redis+cluster://:@gitea-unittests-redis-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
- it: 'cache is configured correctly for redis'
template: templates/gitea/config.yaml
set:
redis-cluster:
enabled: false
redis:
enabled: true
asserts:
- documentIndex: 0
equal:
path: stringData.cache
value: |-
ADAPTER=redis
HOST=redis://:changeme@gitea-unittests-redis-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
- it: "cache is configured correctly for 'memory' when redis (or redis-cluster) is disabled"
template: templates/gitea/config.yaml
set:
redis-cluster:
enabled: false
redis:
enabled: false
asserts:
- documentIndex: 0
equal:
path: stringData.cache
value: |-
ADAPTER=memory
HOST=
- it: 'cache can be customized when redis (or redis-cluster) is disabled'
template: templates/gitea/config.yaml
set:
redis-cluster:
enabled: false
redis:
enabled: false
gitea.config.cache.ADAPTER: custom-adapter
gitea.config.cache.HOST: custom-host
asserts:
- documentIndex: 0
equal:
path: stringData.cache
value: |-
ADAPTER=custom-adapter
HOST=custom-host

66
unittests/config/queue-config.yaml
View file

@ -1,66 +0,0 @@
suite: config template | queue config
release:
name: gitea-unittests
namespace: testing
tests:
- it: 'queue is configured correctly for redis-cluster'
template: templates/gitea/config.yaml
set:
redis-cluster:
enabled: true
redis:
enabled: false
asserts:
- documentIndex: 0
equal:
path: stringData.queue
value: |-
CONN_STR=redis+cluster://:@gitea-unittests-redis-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
TYPE=redis
- it: 'queue is configured correctly for redis'
template: templates/gitea/config.yaml
set:
redis-cluster:
enabled: false
redis:
enabled: true
asserts:
- documentIndex: 0
equal:
path: stringData.queue
value: |-
CONN_STR=redis://:changeme@gitea-unittests-redis-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
TYPE=redis
- it: "queue is configured correctly for 'levelDB' when redis (and redis-cluster) is disabled"
template: templates/gitea/config.yaml
set:
redis-cluster:
enabled: false
redis:
enabled: false
asserts:
- documentIndex: 0
equal:
path: stringData.queue
value: |-
CONN_STR=
TYPE=level
- it: 'queue can be customized when redis (and redis-cluster) are disabled'
template: templates/gitea/config.yaml
set:
redis-cluster:
enabled: false
redis:
enabled: false
gitea.config.queue.TYPE: custom-type
gitea.config.queue.CONN_STR: custom-connection-string
asserts:
- documentIndex: 0
equal:
path: stringData.queue
value: |-
CONN_STR=custom-connection-string
TYPE=custom-type

66
unittests/config/session-config.yaml
View file

@ -1,66 +0,0 @@
suite: config template | session config
release:
name: gitea-unittests
namespace: testing
tests:
- it: 'session is configured correctly for redis-cluster'
template: templates/gitea/config.yaml
set:
redis-cluster:
enabled: true
redis:
enabled: false
asserts:
- documentIndex: 0
equal:
path: stringData.session
value: |-
PROVIDER=redis
PROVIDER_CONFIG=redis+cluster://:@gitea-unittests-redis-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
- it: 'session is configured correctly for redis'
template: templates/gitea/config.yaml
set:
redis-cluster:
enabled: false
redis:
enabled: true
asserts:
- documentIndex: 0
equal:
path: stringData.session
value: |-
PROVIDER=redis
PROVIDER_CONFIG=redis://:changeme@gitea-unittests-redis-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
- it: "session is configured correctly for 'memory' when redis (and redis-cluster) is disabled"
template: templates/gitea/config.yaml
set:
redis-cluster:
enabled: false
redis:
enabled: false
asserts:
- documentIndex: 0
equal:
path: stringData.session
value: |-
PROVIDER=memory
PROVIDER_CONFIG=
- it: 'session can be customized when redis (and redis-cluster) is disabled'
template: templates/gitea/config.yaml
set:
redis-cluster:
enabled: false
redis:
enabled: false
gitea.config.session.PROVIDER: custom-provider
gitea.config.session.PROVIDER_CONFIG: custom-provider-config
asserts:
- documentIndex: 0
equal:
path: stringData.session
value: |-
PROVIDER=custom-provider
PROVIDER_CONFIG=custom-provider-config

21
unittests/dependency-major-image-check.yaml
View file

@ -15,7 +15,7 @@ tests:
matchRegex:
path: spec.template.spec.containers[0].image
# IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
pattern: ^docker.io/bitnami/postgresql-repmgr:17.+$
pattern: ^docker.io/bitnami/postgresql-repmgr:16.+$
- it: '[postgresql] ensures we detect major image version upgrades'
template: charts/postgresql/templates/primary/statefulset.yaml
set:
@ -28,30 +28,15 @@ tests:
matchRegex:
path: spec.template.spec.containers[0].image
# IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
pattern: ^docker.io/bitnami/postgresql:17.+$
pattern: ^docker.io/bitnami/postgresql:16.+$
- it: '[redis-cluster] ensures we detect major image version upgrades'
template: charts/redis-cluster/templates/redis-statefulset.yaml
set:
redis-cluster:
enabled: true
redis:
enabled: false
asserts:
- documentIndex: 0
matchRegex:
path: spec.template.spec.containers[0].image
# IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
pattern: bitnami/redis-cluster:7.+$
- it: '[redis] ensures we detect major image version upgrades'
template: charts/redis/templates/master/application.yaml
set:
redis-cluster:
enabled: false
redis:
enabled: true
asserts:
- documentIndex: 0
matchRegex:
path: spec.template.spec.containers[0].image
# IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
pattern: bitnami/redis:7.+$
pattern: ^docker.io/bitnami/redis-cluster:7.+$

59
unittests/deployment/HA.yaml
View file

@ -1,59 +0,0 @@
suite: deployment template (HA)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/deployment.yaml
- templates/gitea/config.yaml
tests:
- it: fails with multiple replicas and "GIT_GC_REPOS" enabled
template: templates/gitea/deployment.yaml
set:
replicaCount: 2
persistence:
accessModes:
- ReadWriteMany
gitea:
config:
cron:
GIT_GC_REPOS:
ENABLED: true
asserts:
- failedTemplate:
errorMessage: "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'cron.GIT_GC_REPOS.enabled = false'."
- it: fails with multiple replicas and RWX file system not set
template: templates/gitea/deployment.yaml
set:
replicaCount: 2
asserts:
- failedTemplate:
errorMessage: 'When using multiple replicas, a RWX file system is required and gitea.persistence.accessModes[0] must be set to ReadWriteMany.'
- it: fails with multiple replicas and bleve issue indexer
template: templates/gitea/deployment.yaml
set:
replicaCount: 2
persistence:
accessModes:
- ReadWriteMany
gitea:
config:
indexer:
ISSUE_INDEXER_TYPE: bleve
asserts:
- failedTemplate:
errorMessage: "When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)."
- it: fails with multiple replicas and bleve repo indexer
template: templates/gitea/deployment.yaml
set:
replicaCount: 2
persistence:
accessModes:
- ReadWriteMany
gitea:
config:
indexer:
REPO_INDEXER_TYPE: bleve
REPO_INDEXER_ENABLED: true
asserts:
- failedTemplate:
errorMessage: "When using multiple replicas, the repo indexer (gitea.config.indexer.REPO_INDEXER_TYPE) must be set to 'meilisearch' or 'elasticsearch' or disabled."

14
unittests/deployment/basic.yaml
View file

@ -15,17 +15,3 @@ tests:
kind: Deployment
apiVersion: apps/v1
name: forgejo-unittests
- it: deployment labels are set
template: templates/gitea/deployment.yaml
set:
deployment.labels:
hello: world
asserts:
- isSubset:
path: metadata.labels
content:
hello: world
- isSubset:
path: spec.template.metadata.labels
content:
hello: world

27
unittests/deployment/image-configuration.yaml
View file

@ -14,7 +14,7 @@ tests:
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: 'code.forgejo.org/forgejo/forgejo:1.19.3-rootless'
value: 'codeberg.org/forgejo/forgejo:1.19.3-rootless'
- it: tag override
template: templates/gitea/deployment.yaml
set:
@ -22,7 +22,7 @@ tests:
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: 'code.forgejo.org/forgejo/forgejo:1.19.4-rootless'
value: 'codeberg.org/forgejo/forgejo:1.19.4-rootless'
- it: root-based image
template: templates/gitea/deployment.yaml
set:
@ -30,7 +30,7 @@ tests:
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: 'code.forgejo.org/forgejo/forgejo:1.19.3'
value: 'codeberg.org/forgejo/forgejo:1.19.3'
- it: scoped registry
template: templates/gitea/deployment.yaml
set:
@ -56,7 +56,7 @@ tests:
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: 'code.forgejo.org/forgejo/forgejo:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a'
value: 'codeberg.org/forgejo/forgejo:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a'
- it: image fullOverride (does not append rootless)
template: templates/gitea/deployment.yaml
set:
@ -81,7 +81,7 @@ tests:
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: 'code.forgejo.org/forgejo/forgejo:1.19.3@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a'
value: 'codeberg.org/forgejo/forgejo:1.19.3@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a'
- it: digest and global registry
template: templates/gitea/deployment.yaml
set:
@ -91,20 +91,3 @@ tests:
- equal:
path: spec.template.spec.containers[0].image
value: 'global.example.com/forgejo/forgejo:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a'
- it: correctly renders floating tag references
template: templates/gitea/deployment.yaml
set:
image.tag: 1.21 # use non-quoted value on purpose. See: https://gitea.com/gitea/helm-chart/issues/631
asserts:
- equal:
path: spec.template.spec.initContainers[0].image
value: 'code.forgejo.org/forgejo/forgejo:1.21-rootless'
- equal:
path: spec.template.spec.initContainers[1].image
value: 'code.forgejo.org/forgejo/forgejo:1.21-rootless'
- equal:
path: spec.template.spec.initContainers[2].image
value: 'code.forgejo.org/forgejo/forgejo:1.21-rootless'
- equal:
path: spec.template.spec.containers[0].image
value: 'code.forgejo.org/forgejo/forgejo:1.21-rootless'

24
unittests/deployment/ingress-configuration.yaml
View file

@ -15,33 +15,9 @@ tests:
hosts:
- '{{ .Values.global.giteaHostName }}'
asserts:
- isKind:
of: Ingress
- equal:
path: spec.tls[0].hosts[0]
value: 'gitea.example.com'
- equal:
path: spec.rules[0].host
value: 'gitea.example.com'
- it: Ingress Class using TPL
set:
global.ingress.className: 'ingress-class'
ingress.className: '{{ .Values.global.ingress.className }}'
ingress.enabled: true
ingress.hosts[0].host: 'some-host'
ingress.tls:
- secretName: gitea-tls
hosts:
- 'some-host'
asserts:
- isKind:
of: Ingress
- equal:
path: spec.tls[0].hosts[0]
value: 'some-host'
- equal:
path: spec.rules[0].host
value: 'some-host'
- equal:
path: spec.ingressClassName
value: 'ingress-class'

155
unittests/deployment/route-configuration.yaml
View file

@ -1,155 +0,0 @@
# $schema: https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
suite: route template
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/route.yaml
tests:
- it: hostname using TPL
set:
global.giteaHostName: 'gitea.example.com'
route.enabled: true
route.host: '{{ .Values.global.giteaHostName }}'
asserts:
- isKind:
of: Route
- equal:
path: spec.host
value: 'gitea.example.com'
- notExists:
path: spec.wildcardPolicy
- it: wildcard policy
set:
global.giteaHostName: 'gitea.example.com'
route.enabled: true
route.wildcardPolicy: 'Subdomain'
asserts:
- isKind:
of: Route
- equal:
path: spec.wildcardPolicy
value: 'Subdomain'
- it: existing certificate
set:
route.enabled: true
route.tls.existingSecret: certificate-secret
route.tls.certificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
route.tls.privateKey: |
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
route.tls.caCertificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
asserts:
- isKind:
of: Route
- equal:
path: spec.tls.externalCertificate
value: certificate-secret
- notExists:
path: spec.tls.certificate
- notExists:
path: spec.tls.key
- notExists:
path: spec.tls.caCertificate
- it: valid certificate values
set:
route.enabled: true
route.tls.certificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
route.tls.privateKey: |
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
route.tls.caCertificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
asserts:
- isKind:
of: Route
- notExists:
path: spec.tls.externalCertificate
- equal:
path: spec.tls.certificate
value: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
- equal:
path: spec.tls.key
value: |
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
- equal:
path: spec.tls.caCertificate
value: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
- it: missing certificate values
set:
route.enabled: true
route.tls.privateKey: |
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
route.tls.caCertificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
asserts:
- failedTemplate:
errorMessage: certificate, privateKey and caCertificate must be specified together
- it: missing privateKey values
set:
route.enabled: true
route.tls.certificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
route.tls.caCertificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
asserts:
- failedTemplate:
errorMessage: certificate, privateKey and caCertificate must be specified together
- it: missing caCertificate values
set:
route.enabled: true
route.tls.certificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
route.tls.privateKey: |
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
asserts:
- failedTemplate:
errorMessage: certificate, privateKey and caCertificate must be specified together

25
unittests/deployment/security-context-normal.yaml
View file

@ -1,25 +0,0 @@
# $schema: https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
suite: deployment template (security context)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/deployment.yaml
- templates/gitea/config.yaml
tests:
- it: FS group set to 1000
template: templates/gitea/deployment.yaml
set:
image.rootless: false
asserts:
- equal:
path: spec.template.spec.securityContext.fsGroup
value: 1000
- it: run configure-gitea with UID 1000
template: templates/gitea/deployment.yaml
set:
image.rootless: false
asserts:
- equal:
path: spec.template.spec.initContainers[?(@.name == 'configure-gitea')].securityContext.runAsUser
value: 1000

25
unittests/deployment/security-context-ocp.yaml
View file

@ -1,25 +0,0 @@
# $schema: https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
suite: deployment template (security context)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/deployment.yaml
- templates/gitea/config.yaml
tests:
- it: FS group not set
template: templates/gitea/deployment.yaml
set:
image.rootless: false
global.compatibility.openshift.adaptSecurityContext: force
asserts:
- notExists:
path: spec.template.spec.securityContext.fsGroup
- it: configure-gitea without runaAsUser
template: templates/gitea/deployment.yaml
set:
image.rootless: false
global.compatibility.openshift.adaptSecurityContext: force
asserts:
- notExists:
path: spec.template.spec.initContainers[?(@.name == 'configure-gitea')].securityContext.runAsUser

39
unittests/deployment/storage-class-configuration.yaml
View file

@ -1,39 +0,0 @@
# File: tests/gitea-storageclass-tests.yaml
suite: storage class configuration tests
release:
name: gitea-storageclass-tests
namespace: testing
templates:
- templates/gitea/pvc.yaml
tests:
- it: should set storageClassName when persistence.storageClass is defined
template: templates/gitea/pvc.yaml
set:
persistence.storageClass: 'my-storage-class'
asserts:
- equal:
path: 'spec.storageClassName'
value: 'my-storage-class'
- it: should set global.storageClass when persistence.storageClass is not defined
template: templates/gitea/pvc.yaml
set:
global.storageClass: 'default-storage-class'
asserts:
- equal:
path: spec.storageClassName
value: 'default-storage-class'
- it: should set storageClassName when persistence.storageClass is defined and global.storageClass is defined
template: templates/gitea/pvc.yaml
set:
global.storageClass: 'default-storage-class'
persistence.storageClass: 'my-storage-class'
asserts:
- equal:
path: spec.storageClassName
value: 'my-storage-class'

128
unittests/deployment/svc-configuration.yaml
View file

@ -1,128 +0,0 @@
suite: ssh-svc / http-svc template (Services configuration)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/ssh-svc.yaml
- templates/gitea/http-svc.yaml
tests:
- it: supports adding custom labels to ssh-svc
template: templates/gitea/ssh-svc.yaml
set:
service:
ssh:
labels:
gitea/testkey: testvalue
asserts:
- equal:
path: metadata.labels["gitea/testkey"]
value: 'testvalue'
- it: keeps existing labels (ssh)
template: templates/gitea/ssh-svc.yaml
set:
service:
ssh:
labels: {}
asserts:
- exists:
path: metadata.labels["app"]
- it: supports adding custom labels to http-svc
template: templates/gitea/http-svc.yaml
set:
service:
http:
labels:
gitea/testkey: testvalue
asserts:
- equal:
path: metadata.labels["gitea/testkey"]
value: 'testvalue'
- it: keeps existing labels (http)
template: templates/gitea/http-svc.yaml
set:
service:
http:
labels: {}
asserts:
- exists:
path: metadata.labels["app"]
- it: uses default ports to ssh-svc
template: templates/gitea/ssh-svc.yaml
asserts:
- equal:
path: spec.ports[0].port
value: 22
- equal:
path: spec.ports[0].targetPort
value: ssh
- it: render service.ssh.loadBalancerClass if set and type is LoadBalancer
template: templates/gitea/ssh-svc.yaml
set:
service:
ssh:
loadBalancerClass: 'example.com/class'
type: LoadBalancer
loadBalancerIP: '1.2.3.4'
loadBalancerSourceRanges:
- '1.2.3.4/32'
- '5.6.7.8/32'
asserts:
- equal:
path: spec.loadBalancerClass
value: 'example.com/class'
- equal:
path: spec.loadBalancerIP
value: '1.2.3.4'
- equal:
path: spec.loadBalancerSourceRanges
value: ['1.2.3.4/32', '5.6.7.8/32']
- it: does not render when loadbalancer properties are set but type is not loadBalancerClass
template: templates/gitea/http-svc.yaml
set:
service:
http:
type: ClusterIP
loadBalancerClass: 'example.com/class'
loadBalancerIP: '1.2.3.4'
loadBalancerSourceRanges:
- '1.2.3.4/32'
- '5.6.7.8/32'
asserts:
- notExists:
path: spec.loadBalancerClass
- notExists:
path: spec.loadBalancerIP
- notExists:
path: spec.loadBalancerSourceRanges
- it: does not render loadBalancerClass by default even when type is LoadBalancer
template: templates/gitea/http-svc.yaml
set:
service:
http:
type: LoadBalancer
loadBalancerIP: '1.2.3.4'
asserts:
- notExists:
path: spec.loadBalancerClass
- equal:
path: spec.loadBalancerIP
value: '1.2.3.4'
- it: both ssh and http services exist
templates:
- templates/gitea/ssh-svc.yaml
- templates/gitea/http-svc.yaml
asserts:
- matchRegex:
path: metadata.name
pattern: '^gitea-unittests-forgejo-(?:ssh|http)$'
- matchRegex:
path: spec.ports[0].name
pattern: '^(?:ssh|http)$'

5
unittests/init/init_directory_structure.sh-rootless.yaml
View file

@ -1,6 +1,6 @@
suite: Init template (rootless)
suite: Init template
release:
name: forgejo-unittests
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/init.yaml
@ -67,6 +67,7 @@ tests:
chown 1000:1000 "${GNUPGHOME}"
fi
- it: it does not chown /data even when image.fullOverride is set
template: templates/gitea/init.yaml
set:
image.fullOverride: gitea/gitea:1.20.5
asserts:

19
unittests/pvc/pvc-configuration.yaml
View file

@ -1,19 +0,0 @@
suite: PVC template
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/pvc.yaml
tests:
- it: Storage Class using TPL
set:
global.persistence.storageClass: 'storage-class'
persistence.enabled: true
persistence.create: true
persistence.storageClass: '{{ .Values.global.persistence.storageClass }}'
asserts:
- isKind:
of: PersistentVolumeClaim
- equal:
path: spec.storageClassName
value: 'storage-class'

14
unittests/values-conflicting-checks.yaml
View file

@ -1,14 +0,0 @@
suite: Values conflicting checks
release:
name: gitea-unittests
namespace: testing
tests:
- it: fails when trying to configure redis and redis-cluster the same time
set:
redis-cluster:
enabled: true
redis:
enabled: true
asserts:
- failedTemplate:
errorMessage: redis and redis-cluster cannot be enabled at the same time. Please only choose one.

283
values.yaml
View file

@ -20,10 +20,6 @@ global:
# hostnames:
# - example.com
## @param namespaceOverride String to fully override common.names.namespace
##
namespaceOverride: ''
## @param replicaCount number of replicas for the deployment
replicaCount: 1
@ -43,13 +39,13 @@ clusterDomain: cluster.local
## @section Image
## @param image.registry image registry, e.g. gcr.io,docker.io
## @param image.repository Image to start for this pod
## @param image.tag Visit: [Image tag](https://code.forgejo.org/forgejo/-/packages/container/forgejo/versions). Defaults to `appVersion` within Chart.yaml.
## @param image.tag Visit: [Image tag](https://codeberg.org/forgejo/-/packages/container/forgejo/versions). Defaults to `appVersion` within Chart.yaml.
## @param image.digest Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`
## @param image.pullPolicy Image pull policy
## @param image.rootless Wether or not to pull the rootless version of Forgejo
## @param image.fullOverride Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).**
image:
registry: code.forgejo.org
registry: codeberg.org
repository: forgejo/forgejo
# Overrides the image tag whose default is the chart appVersion.
tag: ''
@ -101,7 +97,7 @@ podDisruptionBudget: {}
service:
## @param service.http.type Kubernetes service type for web traffic
## @param service.http.port Port number for web traffic
## @param service.http.clusterIP ClusterIP setting for http autosetup for deployment
## @param service.http.clusterIP ClusterIP setting for http autosetup for deployment is None
## @param service.http.loadBalancerIP LoadBalancer IP setting
## @param service.http.nodePort NodePort for http service
## @param service.http.externalTrafficPolicy If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation
@ -110,12 +106,10 @@ service:
## @param service.http.ipFamilies HTTP service dual-stack familiy selection,for dual-stack parameters see official kubernetes [dual-stack concept documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/).
## @param service.http.loadBalancerSourceRanges Source range filter for http loadbalancer
## @param service.http.annotations HTTP service annotations
## @param service.http.labels HTTP service additional labels
## @param service.http.loadBalancerClass Loadbalancer class
http:
type: ClusterIP
port: 3000
clusterIP:
clusterIP: None
loadBalancerIP:
nodePort:
externalTrafficPolicy:
@ -124,11 +118,9 @@ service:
ipFamilies:
loadBalancerSourceRanges: []
annotations: {}
labels: {}
loadBalancerClass:
## @param service.ssh.type Kubernetes service type for ssh traffic
## @param service.ssh.port Port number for ssh traffic
## @param service.ssh.clusterIP ClusterIP setting for ssh autosetup for deployment
## @param service.ssh.clusterIP ClusterIP setting for ssh autosetup for deployment is None
## @param service.ssh.loadBalancerIP LoadBalancer IP setting
## @param service.ssh.nodePort NodePort for ssh service
## @param service.ssh.externalTrafficPolicy If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation
@ -138,12 +130,10 @@ service:
## @param service.ssh.hostPort HostPort for ssh service
## @param service.ssh.loadBalancerSourceRanges Source range filter for ssh loadbalancer
## @param service.ssh.annotations SSH service annotations
## @param service.ssh.labels SSH service additional labels
## @param service.ssh.loadBalancerClass Loadbalancer class
ssh:
type: ClusterIP
port: 22
clusterIP:
clusterIP: None
loadBalancerIP:
nodePort:
externalTrafficPolicy:
@ -153,8 +143,6 @@ service:
hostPort:
loadBalancerSourceRanges: []
annotations: {}
labels: {}
loadBalancerClass:
## @section Ingress
## @param ingress.enabled Enable ingress
@ -164,6 +152,7 @@ service:
## @param ingress.hosts[0].paths[0].path Default Ingress path
## @param ingress.hosts[0].paths[0].pathType Ingress path type
## @param ingress.tls Ingress tls settings
## @extra ingress.apiVersion Specify APIVersion of ingress object. Mostly would only be used for argocd.
ingress:
enabled: false
# className: nginx
@ -181,48 +170,9 @@ ingress:
# - secretName: chart-example-tls
# hosts:
# - git.example.com
## @section Route
## @param route.enabled Enable route
## @param route.annotations Route annotations
## @param route.host Host to use for the route (will be assigned automatically by OKD / OpenShift is not defined)
## @param route.wildcardPolicy Wildcard policy if any for the route, currently only 'Subdomain' or 'None' is allowed.
## @param route.tls.termination termination type (see [OKD documentation](https://docs.okd.io/latest/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls))
## @param route.tls.insecureEdgeTerminationPolicy the desired behavior for insecure connections to a route (e.g. with http)
## @param route.tls.existingSecret the name of a predefined secret of type kubernetes.io/tls with both key (tls.crt and tls.key) set accordingly (if defined attributes 'certificate', 'caCertificate' and 'privateKey' are ignored)
## @param route.tls.certificate PEM encoded single certificate
## @param route.tls.privateKey PEM encoded private key
## @param route.tls.caCertificate PEM encoded CA certificate or chain that issued the certificate
## @param route.tls.destinationCACertificate PEM encoded CA certificate used to verify the authenticity of final end point when 'termination' is set to 'passthrough' (ignored otherwise)
route:
enabled: false
annotations: {}
host:
wildcardPolicy:
tls:
termination: edge
insecureEdgeTerminationPolicy: Redirect
existingSecret:
certificate:
# certificate: |-
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
privateKey:
# privateKey: |-
# -----BEGIN PRIVATE KEY-----
# ...
# -----END PRIVATE KEY-----
caCertificate:
# caCertificate: |-
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
destinationCACertificate:
# destinationCACertificate: |-
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
# Mostly for argocd or any other CI that uses `helm template | kubectl apply` or similar
# If helm doesn't correctly detect your ingress API version you can set it here.
# apiVersion: networking.k8s.io/v1
## @section deployment
#
@ -369,7 +319,7 @@ initContainers:
#
## @param signing.enabled Enable commit/action signing
## @param signing.gpgHome GPG home directory
## @param signing.privateKey Inline private GPG key for signed internal Git activity
## @param signing.privateKey Inline private gpg key for signed Forgejo actions
## @param signing.existingSecret Use an existing secret to store the value of `signing.privateKey`
signing:
enabled: false
@ -388,23 +338,19 @@ gitea:
## @param gitea.admin.existingSecret Use an existing secret to store admin user credentials
## @param gitea.admin.password Password for the Forgejo admin user
## @param gitea.admin.email Email for the Forgejo admin user
## @param gitea.admin.passwordMode Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated
admin:
# existingSecret: gitea-admin-secret
existingSecret:
username: gitea_admin
password: r8sA8CPHD9!bt6d
email: 'gitea@local.domain'
passwordMode: keepUpdated
## @param gitea.metrics.enabled Enable Forgejo metrics
## @param gitea.metrics.serviceMonitor.enabled Enable Forgejo metrics service monitor
## @param gitea.metrics.serviceMonitor.namespace Namespace in which Prometheus is running
metrics:
enabled: false
serviceMonitor:
enabled: false
namespace: ''
# additionalLabels:
# prometheus-release: prom1
@ -441,6 +387,18 @@ gitea:
# customProfileUrl:
# customEmailUrl:
## @param gitea.config.server.SSH_PORT SSH port for rootlful Forgejo image
## @param gitea.config.server.SSH_LISTEN_PORT SSH port for rootless Forgejo image
config:
# APP_NAME: "Forgejo: Git with a cup of tea"
# RUN_MODE: dev
server:
SSH_PORT: 22 # rootful image
SSH_LISTEN_PORT: 2222 # rootless image
#
# security:
# PASSWORD_COMPLEXITY: spec
## @param gitea.additionalConfigSources Additional configuration from secret or configmap
additionalConfigSources: []
# - secret:
@ -458,158 +416,6 @@ gitea:
ssh:
logLevel: 'INFO'
## @section `app.ini` overrides
## @descriptionStart
## Every value described in the [Cheat
## Sheet](https://forgejo.org/docs/latest/admin/config-cheat-sheet/) can be
## set as a Helm value. Configuration sections map to (lowercased) YAML
## blocks, while the keys themselves remain in all caps.
## @descriptionEnd
config:
# values in the DEFAULT section
# (https://forgejo.org/docs/latest/admin/config-cheat-sheet/#overall-default)
# are un-namespaced
## @param gitea.config.APP_NAME Application name, used in the page title
APP_NAME: 'Forgejo: Beyond coding. We forge.'
## @param gitea.config.RUN_MODE Application run mode, affects performance and debugging: `dev` or `prod`
RUN_MODE: prod
## @param gitea.config.repository General repository settings
repository: {}
## @param gitea.config.cors Cross-origin resource sharing settings
cors: {}
## @param gitea.config.ui User interface settings
ui: {}
## @param gitea.config.markdown Markdown parser settings
markdown: {}
## @param gitea.config.server [object] General server settings
server:
SSH_PORT: 22 # rootful image
SSH_LISTEN_PORT: 2222 # rootless image
## @param gitea.config.database Database configuration (only necessary with an [externally managed DB](https://code.forgejo.org/forgejo-helm/forgejo-helm#external-database)).
database: {}
## @param gitea.config.indexer Settings for what content is indexed and how
indexer: {}
## @param gitea.config.queue Job queue configuration
queue: {}
## @param gitea.config.admin Admin user settings
admin: {}
## @param gitea.config.security Site security settings
security: {}
## @param gitea.config.camo Settings for the [camo](https://github.com/cactus/go-camo) media proxy server (disabled by default)
camo: {}
## @param gitea.config.openid Configuration for authentication with OpenID (disabled by default)
openid: {}
## @param gitea.config.oauth2_client OAuth2 client settings
oauth2_client: {}
## @param gitea.config.service Configuration for miscellaneous Forgejo services
service: {}
## @param gitea.config.ssh.minimum_key_sizes SSH minimum key sizes
ssh.minimum_key_sizes: {}
## @param gitea.config.webhook Webhook settings
webhook: {}
## @param gitea.config.mailer Mailer configuration (disabled by default)
mailer: {}
## @param gitea.config.email.incoming Configuration for handling incoming mail (disabled by default)
email.incoming: {}
## @param gitea.config.cache Cache configuration
cache: {}
## @param gitea.config.session Session/cookie handling
session: {}
## @param gitea.config.picture User avatar settings
picture: {}
## @param gitea.config.project Project board defaults
project: {}
## @param gitea.config.attachment Issue and PR attachment configuration
attachment: {}
## @param gitea.config.log Logging configuration
log: {}
## @param gitea.config.cron Cron job configuration
cron: {}
## @param gitea.config.git Global settings for Git
git: {}
## @param gitea.config.metrics Settings for the Prometheus endpoint (disabled by default)
metrics: {}
## @param gitea.config.api Settings for the Swagger API documentation endpoints
api: {}
## @param gitea.config.oauth2 Settings for the [OAuth2 provider](https://forgejo.org/docs/latest/admin/oauth2-provider/)
oauth2: {}
## @param gitea.config.i18n Internationalization settings
i18n: {}
## @param gitea.config.markup Configuration for advanced markup processors
markup: {}
## @param gitea.config.highlight.mapping File extension to language mapping overrides for syntax highlighting
highlight.mapping: {}
## @param gitea.config.time Locale settings
time: {}
## @param gitea.config.migrations Settings for Git repository migrations
migrations: {}
## @param gitea.config.federation Federation configuration
federation: {}
## @param gitea.config.packages Package registry settings
packages: {}
## @param gitea.config.mirror Configuration for repository mirroring
mirror: {}
## @param gitea.config.lfs Large File Storage configuration
lfs: {}
## @param gitea.config.repo-avatar Repository avatar storage configuration
repo-avatar: {}
## @param gitea.config.avatar User/org avatar storage configuration
avatar: {}
## @param gitea.config.storage General storage settings
storage: {}
## @param gitea.config.proxy Proxy configuration (disabled by default)
proxy: {}
## @param gitea.config.actions Configuration for [Forgejo Actions](https://forgejo.org/docs/latest/user/actions/)
actions: {}
## @param gitea.config.other Uncategorized configuration options
other: {}
## @section LivenessProbe
#
## @param gitea.livenessProbe.enabled Enable liveness probe
@ -633,8 +439,7 @@ gitea:
## @section ReadinessProbe
#
## @param gitea.readinessProbe.enabled Enable readiness probe
## @param gitea.readinessProbe.httpGet.path Path to probe for readiness
## @param gitea.readinessProbe.httpGet.port Port to probe for readiness
## @param gitea.readinessProbe.tcpSocket.port Port to probe for readiness
## @param gitea.readinessProbe.initialDelaySeconds Initial delay before readiness probe is initiated
## @param gitea.readinessProbe.timeoutSeconds Timeout for readiness probe
## @param gitea.readinessProbe.periodSeconds Period for readiness probe
@ -643,8 +448,7 @@ gitea:
# Modify the readiness probe for your needs or completely disable it by commenting out.
readinessProbe:
enabled: true
httpGet:
path: /api/healthz
tcpSocket:
port: http
initialDelaySeconds: 5
timeoutSeconds: 1
@ -675,11 +479,10 @@ gitea:
## @section Redis&reg; Cluster
## @descriptionStart
## Redis&reg; Cluster is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/redis-cluster) if enabled in the values.
## Full configuration options are available on their website.
## Redis cluster and [Redis](#redis) cannot be enabled at the same time.
## Complete Configuration can be taken from their website.
## @descriptionEnd
#
## @param redis-cluster.enabled Enable redis cluster
## @param redis-cluster.enabled Enable redis
## @param redis-cluster.usePassword Whether to use password authentication
## @param redis-cluster.cluster.nodes Number of redis cluster master nodes
## @param redis-cluster.cluster.replicas Number of redis cluster master node replicas
@ -690,30 +493,10 @@ redis-cluster:
nodes: 3 # default: 6
replicas: 0 # default: 1
## @section Redis&reg;
## @descriptionStart
## Redis&reg; is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/redis) if enabled in the values.
## Full configuration options are available on their website.
## Redis and [Redis cluster](#redis-cluster) cannot be enabled at the same time.
## @descriptionEnd
#
## @param redis.enabled Enable redis standalone or replicated
## @param redis.architecture Whether to use standalone or replication
## @param redis.global.redis.password Required password
## @param redis.master.count Number of Redis master instances to deploy
redis:
enabled: false
architecture: standalone
global:
redis:
password: changeme
master:
count: 1
## @section PostgreSQL HA
## @descriptionStart
## PostgreSQL HA is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql-ha) if enabled in the values.
## Full configuration options are available on their website.
## Complete Configuration can be taken from their website.
## @descriptionEnd
#
## @param postgresql-ha.enabled Enable PostgreSQL HA chart
@ -725,7 +508,7 @@ redis:
## @param postgresql-ha.postgresql.postgresPassword postgres Password
## @param postgresql-ha.pgpool.adminPassword pgpool adminPassword
## @param postgresql-ha.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`)
## @param postgresql-ha.primary.persistence.size PVC Storage Request for PostgreSQL HA volume
## @param postgresql-ha.primary.persistence.size PVC Storage Request for PostgreSQL-ha volume
postgresql-ha:
global:
postgresql:
@ -749,7 +532,7 @@ postgresql-ha:
## @section PostgreSQL
## @descriptionStart
## PostgreSQL is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) if enabled in the values.
## Full configuration options are available on their website.
## Complete Configuration can be taken from their website.
## @descriptionEnd
#
## @param postgresql.enabled Enable PostgreSQL
@ -776,8 +559,8 @@ postgresql:
# By default, removed or moved settings that still remain in a user defined values.yaml will cause Helm to fail running the install/update.
# Set it to false to skip this basic validation check.
## @section Advanced
## @param checkDeprecation Whether to run this basic validation check.
## @param test.enabled Whether to use test-connection Pod.
## @param checkDeprecation Set it to false to skip this basic validation check.
## @param test.enabled Set it to false to disable test-connection Pod.
## @param test.image.name Image name for the wget container used in the test-connection Pod.
## @param test.image.tag Image tag for the wget container used in the test-connection Pod.
checkDeprecation: true
@ -787,6 +570,6 @@ test:
name: busybox
tag: latest
## @param extraDeploy Array of extra objects to deploy with the release.
## @param extraDeploy Array of extra objects to deploy with the release
##
extraDeploy: []