This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [forgejo](https://forgejo.org) ([source](https://codeberg.org/forgejo/forgejo)) | patch | `10.0.0` -> `10.0.1` |
---
### Release Notes
<details>
<summary>forgejo/forgejo (forgejo)</summary>
### [`v10.0.1`](https://codeberg.org/forgejo/forgejo/releases/tag/v10.0.1)
See https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/10.0.1.md
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xNTYuMSIsInVwZGF0ZWRJblZlciI6IjM5LjE1Ni4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Reviewed-on: https://code.forgejo.org/forgejo-helm/forgejo-helm/pulls/1089
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
The `apiVersion` should be `networking.k8s.io/v1`
Reviewed-on: https://code.forgejo.org/forgejo-helm/forgejo-helm/pulls/1056
Co-authored-by: joshuachp <joshuachp@noreply.code.forgejo.org>
Co-committed-by: joshuachp <joshuachp@noreply.code.forgejo.org>
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| forgejo | patch | `1.21.10-0` -> `1.21.11-0` |
---
### Release Notes
<details>
<summary>forgejo/forgejo (forgejo)</summary>
### [`v1.21.11-0`](https://codeberg.org/forgejo/forgejo/releases/tag/v1.21.11-0)
See https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-21-11-0
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yODcuMCIsInVwZGF0ZWRJblZlciI6IjM3LjI4Ny4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Reviewed-on: https://codeberg.org/forgejo-contrib/forgejo-helm/pulls/426
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [postgresql-ha](https://github.com/bitnami/charts) ([source](https://github.com/bitnami/charts/tree/HEAD/bitnami/postgresql-ha)) | major | `13.6.1` -> `14.0.0` |
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNDYuMSIsInVwZGF0ZWRJblZlciI6IjM3LjI0Ni4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
Reviewed-on: https://codeberg.org/forgejo-contrib/forgejo-helm/pulls/386
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [helm-unittest/helm-unittest](https://github.com/helm-unittest/helm-unittest) | patch | `v0.4.2` -> `v0.4.3` |
---
### Release Notes
<details>
<summary>helm-unittest/helm-unittest (helm-unittest/helm-unittest)</summary>
### [`v0.4.3`](https://github.com/helm-unittest/helm-unittest/releases/tag/v0.4.3)
[Compare Source](https://github.com/helm-unittest/helm-unittest/compare/v0.4.2...v0.4.3)
**Improvements**
- Improve development, by running PR validation using GitHub actions (credits [@​ivankatliarchuk](https://github.com/ivankatliarchuk))
**Fixes**
- Fix unittest fails when chart name has same name as one of its dependencies (resolves [#​283](https://github.com/helm-unittest/helm-unittest/issues/283))
- Fix documentSelector matches resources outside of selected templates (credits [@​ivankatliarchuk](https://github.com/ivankatliarchuk), resolves [#​286](https://github.com/helm-unittest/helm-unittest/issues/286))
- Fix IsNullOrEmptyValidator for single values (credits [@​arkbriar](https://github.com/arkbriar))
- Fix validation on Windows target platform
**Updates**
- Update packages to latest patch versions
- Update documentation (credits [@​gionn](https://github.com/gionn), credits [@​mgnisia](https://github.com/mgnisia))
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNDYuMSIsInVwZGF0ZWRJblZlciI6IjM3LjI0Ni4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
Reviewed-on: https://codeberg.org/forgejo-contrib/forgejo-helm/pulls/391
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
- [User defined environment variables in app.ini](#user-defined-environment-variables-in-appini)
- [External Database](#external-database)
- [Ports and external url](#ports-and-external-url)
- [ClusterIP](#clusterip)
- [SSH and Ingress](#ssh-and-ingress)
- [SSH on crio based kubernetes cluster](#ssh-on-crio-based-kubernetes-cluster)
- [Cache](#cache)
@ -44,29 +45,37 @@
- [Init](#init)
- [Signing](#signing)
- [Gitea](#gitea)
- [`app.ini` overrides](#appini-overrides)
- [LivenessProbe](#livenessprobe)
- [ReadinessProbe](#readinessprobe)
- [StartupProbe](#startupprobe)
- [redis-cluster](#redis-cluster)
- [PostgreSQL-ha](#postgresql-ha)
- [Redis® Cluster](#redis-cluster)
- [Redis®](#redis)
- [PostgreSQL HA](#postgresql-ha)
- [PostgreSQL](#postgresql)
- [Advanced](#advanced)
- [Contributing](#contributing)
- [Upgrading](#upgrading)
- [To v11](#to-v11)
- [To v10](#to-v10)
- [To v9](#to-v9)
- [To v8](#to-v8)
- [To v7](#to-v7)
- [To v6](#to-v6)
[Forgejo](https://forgejo.org/) is a community managed lightweight code hosting solution written in Go.
It is published under the MIT license.
## Introduction
This helm chart is based on official [Gitea helm chart](https://gitea.com/gitea/helm-chart).
This Helm chart is based on the [Gitea chart](https://gitea.com/gitea/helm-chart).
Yet it takes a completely different approach in providing a database and cache with dependencies.
Additionally, this chart allows to provide LDAP and admin user configuration with values.
## Update and versioning policy
The Forgejo helm chart versioning does not follow Forgejo's versioning.
The latest chart version can be looked up in <https://codeberg.org/forgejo-contrib/-/packages/container/forgejo/0.8.0> or in the [repository releases](https://codeberg.org/forgejo-contrib/forgejo-helm/releases).
The latest chart version can be looked up in <https://code.forgejo.org/forgejo-helm/-/packages/container/forgejo> or in the [repository releases](https://code.forgejo.org/forgejo-helm/forgejo-helm/releases).
The chart aims to follow Forgejo's releases closely.
There might be times when the chart is behind the latest Forgejo release.
@ -81,21 +90,51 @@ Yet most often no issues will be encountered and the chart maintainers aim to co
Forgejo can be run with an external database and cache.
This chart provides those dependencies, which can be enabled, or disabled via configuration.
Dependencies:
### HA Dependencies
- PostgreSQL HA ([configuration](#postgresql))
- Redis Cluster ([configuration](#cache))
These dependencies are enabled by default:
- PostgreSQL HA ([Bitnami PostgreSQL-HA](https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml))
Updates of sub-charts will be incorporated into the Gitea chart as they are released.
The reasoning behind this is that new users of the chart will start with the most recent sub-chart dependency versions.
**Note** If you want to stay on an older appVersion of a sub-chart dependency (e.g. PostgreSQL), you need to override the image tag in your `values.yaml` file.
In fact, we recommend to do so right from the start to be independent of major sub-chart dependency changes as they are released.
There is no need to update to every new PostgreSQL major version - you can happily skip some and do larger updates when you are ready for them.
We recommend to use a rolling tag like `:<majorVersion>-debian-<debian major version>` to incorporate minor and patch updates for the respective major version as they are released.
Alternatively you can also use a versioning helper tool like [renovate](https://github.com/renovatebot/renovate).
Please double-check the image repository and available tags in the sub-chart:
Some settings inside _app.ini_ (like passwords or whole authentication configurations) must be considered sensitive and therefore should not be passed via plain text inside the _values.yaml_ file.
@ -325,7 +381,7 @@ stringData:
#### User defined environment variables in app.ini
Users are able to define their own environment variables, which are loaded into the containers.
We also support to directly interact with the generated _app.ini_.
We also support interacting directly with the generated _app.ini_.
To inject self defined variables into the _app.ini_ a certain format needs to be honored.
This is described in detail on the [env-to-ini](https://github.com/go-gitea/gitea/tree/main/contrib/environment-to-ini) page.
@ -336,9 +392,10 @@ For example a database setting needs to have the following format:
```yaml
gitea:
config:
database:
HOST: my.own.host
additionalConfigFromEnvs:
- name: FORGEJO__DATABASE__HOST
value: my.own.host
- name: FORGEJO__DATABASE__PASSWD
valueFrom:
secretKeyRef:
@ -355,7 +412,7 @@ Priority (highest to lowest) for defining app.ini variables:
### External Database
Any external database listed in [https://docs.gitea.com/installation/database-prep](https://docs.gitea.com/installation/database-prep) can be used instead of the built-in PostgreSQL.
A [supported external database](https://forgejo.org/docs/latest/admin/config-cheat-sheet/#database-database/)can be used instead of the built-in PostgreSQL.
In fact, it is **highly recommended** to use an external database to ensure a stable Forgejo installation longterm.
If an external database is used, no matter which type, make sure to set `postgresql.enabled` to `false` to disable the use of the built-in PostgreSQL.
@ -364,7 +421,7 @@ If an external database is used, no matter which type, make sure to set `postgre
gitea:
config:
database:
DB_TYPE: mysql
DB_TYPE: mysql # supported values are mysql, postgres, mssql, sqlite3
HOST: <mysqlHOST>
NAME: gitea
USER: root
@ -392,23 +449,6 @@ This helm chart automatically configures the clone urls to use the correct ports
You can change these ports by hand using the `gitea.config` dict.
However you should know what you're doing.
### ClusterIP
By default the `clusterIP` will be set to `None`, which is the default for headless services.
However if you want to omit the clusterIP field in the service, use the following values:
```yaml
service:
http:
type: ClusterIP
port: 3000
clusterIP:
ssh:
type: ClusterIP
port: 22
clusterIP:
```
### SSH and Ingress
If you're using ingress and want to use SSH, keep in mind, that ingress is not able to forward SSH Ports.
@ -418,7 +458,7 @@ You will need a LoadBalancer like `metallb` and a setting in your ssh service an
service:
ssh:
annotations:
metallb.universe.tf/allow-shared-ip: test
metallb.io/allow-shared-ip: test
```
### SSH on crio based kubernetes cluster
@ -491,8 +531,6 @@ postgresql:
This chart enables you to create a default admin user.
It is also possible to update the password for this user by upgrading or redeploying the chart.
It is not possible to delete an admin user after it has been created.
This has to be done in the ui.
You cannot use `admin` as username.
```yaml
@ -522,10 +560,26 @@ gitea:
existingSecret: gitea-admin-secret
```
To delete the admin user, set `username` or `password` to an empty value and delete the user in the UI.
Whether you use the existing Secret or specify a username and password directly, there are three modes for how the admin user password is created or set.
- `keepUpdated` (the default) will set the admin user password, and reset it to the defined value every time the pod is recreated.
- `initialOnlyNoReset` will set the admin user password when creating it, but never try to update the password.
- `initialOnlyRequireReset` will set the admin user password when creating it, never update it, and require that the password be changed at the initial login.
These modes can be set like the following:
```yaml
gitea:
admin:
passwordMode: initialOnlyRequireReset
```
### LDAP Settings
Like the admin user the LDAP settings can be updated.
All LDAP values from <https://docs.gitea.com/administration/command-line#admin> are available.
All LDAP values from <https://forgejo.org/docs/latest/admin/command-line/#admin> are available.
Multiple LDAP sources can be configured with additional LDAP list items.
@ -578,9 +632,8 @@ Affected options:
### OAuth2 Settings
Like the admin user, OAuth2 settings can be updated and disabled but not deleted.
Deleting OAuth2 settings has to be done in the ui.
All OAuth2 values, which are documented [here](https://docs.gitea.com/administration/command-line#admin), are
available.
Deleting OAuth2 settings has to be done in the UI.
[All OAuth2 values](https://forgejo.org/docs/latest/admin/command-line/#admin-auth-add-oauth) are available.
Multiple OAuth2 sources can be configured with additional OAuth list items.
@ -619,14 +672,29 @@ gitea:
existingSecret: gitea-oauth-secret
```
### Compatibility with OCP (OKD or OpenShift)
Normally OCP is automatically detected and the compatibility mode set accordingly. To enforce the OCP compatibility mode use the following configuration:
```yaml
global:
compatibility:
openshift:
adaptSecurityContext: force
```
An OCP route to access Forgejo can be enabled with the following config:
```yaml
route:
enabled: true
```
## Configure commit signing
When using the rootless image the gpg key folder is not persistent by default.
If you consider using signed commits for internal Forgejo activities (e.g. initial commit), you'd need to provide a signing key.
Prior to [PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be re-imported once the container got replaced by another.
The mentioned PR introduced a new configuration object `signing` allowing you to configure prerequisites for commit signing.
By default this section is disabled to maintain backwards compatibility.
When using the rootless image, the GPG key folder is not persistent by default.
If you want commits by Forgejo (e.g. initial commit) to be signed,
you need to provide a signing key:
```yaml
signing:
@ -634,8 +702,10 @@ signing:
gpgHome: /data/git/.gnupg
```
Regardless of the used container image the `signing` object allows to specify a private gpg key.
Either using the `signing.privateKey` to define the key inline, or refer to an existing secret containing the key data by using `signing.existingSecret`.
By default this section is disabled to maintain backwards compatibility.
Regardless of the used container image the `signing` object allows to specify a private GPG key.
Either using the `signing.privateKey` to define the key inline, or referring to an existing secret containing the key data with `signing.existingSecret`.
```yaml
apiVersion: v1
@ -655,8 +725,8 @@ signing:
existingSecret: custom-gitea-gpg-key
```
To use the gpg key, Forgejo needs to be configured accordingly.
A detailed description can be found in the [official Gitea documentation](https://docs.gitea.com/administration/signing#general-configuration).
To use the GPG key, Forgejo needs to be configured accordingly.
A detailed description can be found in the [documentation](https://forgejo.org/docs/latest/admin/signing/#general-configuration).
## Metrics and profiling
@ -761,7 +831,7 @@ Here's an examplary `values.yml` definition which makes use of a digest:
| `service.http.type` | Kubernetes service type for web traffic | `ClusterIP` |
| `service.http.port` | Port number for web traffic | `3000` |
| `service.http.clusterIP` | ClusterIP setting for http autosetup for deployment is None | `None` |
| `service.http.clusterIP` | ClusterIP setting for http autosetup for deployment | `nil` |
| `service.http.loadBalancerIP` | LoadBalancer IP setting | `nil` |
| `service.http.nodePort` | NodePort for http service | `nil` |
| `service.http.externalTrafficPolicy` | If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation | `nil` |
@ -842,9 +913,11 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
| `service.http.ipFamilies` | HTTP service dual-stack familiy selection,for dual-stack parameters see official kubernetes [dual-stack concept documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/). | `nil` |
| `service.http.loadBalancerSourceRanges` | Source range filter for http loadbalancer | `[]` |
| `service.http.annotations` | HTTP service annotations | `{}` |
| `service.http.labels` | HTTP service additional labels | `{}` |
| `service.http.loadBalancerClass` | Loadbalancer class | `nil` |
| `service.ssh.type` | Kubernetes service type for ssh traffic | `ClusterIP` |
| `service.ssh.port` | Port number for ssh traffic | `22` |
| `service.ssh.clusterIP` | ClusterIP setting for ssh autosetup for deployment is None | `None` |
| `service.ssh.clusterIP` | ClusterIP setting for ssh autosetup for deployment | `nil` |
| `service.ssh.loadBalancerIP` | LoadBalancer IP setting | `nil` |
| `service.ssh.nodePort` | NodePort for ssh service | `nil` |
| `service.ssh.externalTrafficPolicy` | If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation | `nil` |
@ -854,11 +927,13 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
| `service.ssh.hostPort` | HostPort for ssh service | `nil` |
| `service.ssh.loadBalancerSourceRanges` | Source range filter for ssh loadbalancer | `[]` |
| `service.ssh.annotations` | SSH service annotations | `{}` |
| `service.ssh.labels` | SSH service additional labels | `{}` |
| `service.ssh.loadBalancerClass` | Loadbalancer class | `nil` |
| `route.host` | Host to use for the route (will be assigned automatically by OKD / OpenShift is not defined) | `nil` |
| `route.wildcardPolicy` | Wildcard policy if any for the route, currently only 'Subdomain' or 'None' is allowed. | `nil` |
| `route.tls.termination` | termination type (see [OKD documentation](https://docs.okd.io/latest/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls)) | `edge` |
| `route.tls.insecureEdgeTerminationPolicy` | the desired behavior for insecure connections to a route (e.g. with http) | `Redirect` |
| `route.tls.existingSecret` | the name of a predefined secret of type kubernetes.io/tls with both key (tls.crt and tls.key) set accordingly (if defined attributes 'certificate', 'caCertificate' and 'privateKey' are ignored) | `nil` |
| `route.tls.certificate` | PEM encoded single certificate | `nil` |
| `route.tls.caCertificate` | PEM encoded CA certificate or chain that issued the certificate | `nil` |
| `route.tls.destinationCACertificate` | PEM encoded CA certificate used to verify the authenticity of final end point when 'termination' is set to 'passthrough' (ignored otherwise) | `nil` |
### deployment
@ -931,28 +1021,84 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
| `gitea.admin.username` | Username for the Forgejo admin user | `gitea_admin` |
| `gitea.admin.existingSecret` | Use an existing secret to store admin user credentials | `nil` |
| `gitea.admin.password` | Password for the Forgejo admin user | `r8sA8CPHD9!bt6d` |
| `gitea.admin.email` | Email for the Forgejo admin user | `gitea@local.domain` |
| `gitea.admin.passwordMode` | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated | `keepUpdated` |
| `gitea.readinessProbe.tcpSocket.port` | Port to probe for readiness | `http` |
| `gitea.readinessProbe.httpGet.path` | Path to probe for readiness | `/api/healthz` |
| `gitea.readinessProbe.httpGet.port` | Port to probe for readiness | `http` |
| `gitea.readinessProbe.initialDelaySeconds` | Initial delay before readiness probe is initiated | `5` |
| `gitea.readinessProbe.timeoutSeconds` | Timeout for readiness probe | `1` |
| `gitea.readinessProbe.periodSeconds` | Period for readiness probe | `10` |
@ -992,19 +1139,33 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
### Redis® Cluster
Redis® Cluster is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/redis-cluster) if enabled in the values.
Complete Configuration can be taken from their website.
Full configuration options are available on their website.
Redis cluster and [Redis](#redis) cannot be enabled at the same time.
{{- if eq (get .Values.gitea.config.cache "ADAPTER") "memory" -}}
{{- $warnings = append $warnings "Forgejo uses 'memory' for caching which is not recommended for production use. See https://forgejo.org/docs/latest/admin/config-cheat-sheet/#cache-cache for available options." -}}
{{- end }}
{{- if eq (get .Values.gitea.config.queue "TYPE") "level" -}}
{{- $warnings = append $warnings "Forgejo uses 'leveldb' for queue actions which is not recommended for production use. See https://forgejo.org/docs/latest/admin/config-cheat-sheet/#queue-queue-and-queue for available options." -}}
{{- end }}
{{- if eq (get .Values.gitea.config.session "PROVIDER") "memory" -}}
{{- $warnings = append $warnings "Forgejo uses 'memory' for sessions which is not recommended for production use. See https://forgejo.org/docs/latest/admin/config-cheat-sheet/#session-session for available options." -}}
{{printf"gitea.admin.passwordMode must be set to one of 'keepUpdated', 'initialOnlyNoReset', or 'initialOnlyRequireReset'. Received: '%s'".Values.gitea.admin.passwordMode|fail}}
{{- /*assert that only one PG dep is enabled */ -}}
{{- if and (.Values.postgresql.enabled) (index .Values "postgresql-ha" "enabled") -}}
{{- /*assert that only one PG dep is enabled */ -}}
{{- if and (.Values.postgresql.enabled) (index .Values "postgresql-ha" "enabled") -}}
{{- fail "Only one of postgresql or postgresql-ha can be enabled at the same time." -}}
{{- end }}
{{- end }}
{{- /* multiple replicas assertions */ -}}
{{- if gt .Values.replicaCount 1.0 -}}
{{- if (get (get .Values.gitea.config "cron.GIT_GC_REPOS") "ENABLED") -}}
{{- fail "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'cron.GIT_GC_REPOS.enabled = false'." -}}
{{- /* multiple replicas assertions */ -}}
{{- if gt .Values.replicaCount 1.0 -}}
{{- if .Values.gitea.config.cron -}}
{{- if .Values.gitea.config.cron.GIT_GC_REPOS -}}
{{- if eq .Values.gitea.config.cron.GIT_GC_REPOS.ENABLED true -}}
{{fail "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'cron.GIT_GC_REPOS.enabled = false'." }}
{{- end }}
{{- end }}
{{- end }}
{{- if eq (first .Values.persistence.accessModes) "ReadWriteOnce" -}}
{{- fail "When using multiple replicas, a RWX file system is required and gitea.persistence.accessModes[0] must be set to ReadWriteMany." -}}
{{- end }}
{{- if eq (get .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE") "bleve" -}}
{{- if .Values.gitea.config.indexer -}}
{{- if eq .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE "bleve" -}}
{{- fail "When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)." -}}
{{- end }}
{{- if .Values.gitea.config.indexer.REPO_INDEXER_TYPE -}}
{{- if eq (get .Values.gitea.config.indexer "REPO_INDEXER_TYPE") "bleve" -}}
{{- if eq .Values.gitea.config.indexer.REPO_INDEXER_TYPE "bleve" -}}
{{- if .Values.gitea.config.indexer.REPO_INDEXER_ENABLED -}}
{{- if eq (get .Values.gitea.config.indexer "REPO_INDEXER_ENABLED") "true" -}}
{{- if eq .Values.gitea.config.indexer.REPO_INDEXER_ENABLED true -}}
{{- fail "When using multiple replicas, the repo indexer (gitea.config.indexer.REPO_INDEXER_TYPE) must be set to 'meilisearch' or 'elasticsearch' or disabled." -}}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
config_environment.sh:|-
#!/usr/bin/env bash
set -euo pipefail
@ -83,15 +89,18 @@ stringData:
env2ini::log " + '${setting}'"
local masked_setting="${setting//./_0X2E_}" # '//' instructs to replace all matches
masked_setting="${masked_setting//-/_0X2D_}"
if [[ -z "${section}" ]]; then
export "FORGEJO____${setting^^}=${value}" # '^^' makes the variable content uppercase
export "FORGEJO____${masked_setting^^}=${value}" # '^^' makes the variable content uppercase
return
fi
local masked_section="${section//./_0X2E_}" # '//' instructs to replace all matches
masked_section="${masked_section//-/_0X2D_}"
export "FORGEJO__${masked_section^^}__${setting^^}=${value}" # '^^' makes the variable content uppercase
export "FORGEJO__${masked_section^^}__${masked_setting^^}=${value}" # '^^' makes the variable content uppercase
- it:fails with multiple replicas and "GIT_GC_REPOS" enabled
template:templates/gitea/deployment.yaml
set:
replicaCount:2
persistence:
accessModes:
- ReadWriteMany
gitea:
config:
cron:
GIT_GC_REPOS:
ENABLED:true
asserts:
- failedTemplate:
errorMessage:"Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'cron.GIT_GC_REPOS.enabled = false'."
- it:fails with multiple replicas and RWX file system not set
template:templates/gitea/deployment.yaml
set:
replicaCount:2
asserts:
- failedTemplate:
errorMessage:'When using multiple replicas, a RWX file system is required and gitea.persistence.accessModes[0] must be set to ReadWriteMany.'
- it:fails with multiple replicas and bleve issue indexer
template:templates/gitea/deployment.yaml
set:
replicaCount:2
persistence:
accessModes:
- ReadWriteMany
gitea:
config:
indexer:
ISSUE_INDEXER_TYPE:bleve
asserts:
- failedTemplate:
errorMessage:"When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)."
- it:fails with multiple replicas and bleve repo indexer
template:templates/gitea/deployment.yaml
set:
replicaCount:2
persistence:
accessModes:
- ReadWriteMany
gitea:
config:
indexer:
REPO_INDEXER_TYPE:bleve
REPO_INDEXER_ENABLED:true
asserts:
- failedTemplate:
errorMessage:"When using multiple replicas, the repo indexer (gitea.config.indexer.REPO_INDEXER_TYPE) must be set to 'meilisearch' or 'elasticsearch' or disabled."
## @param namespaceOverride String to fully override common.names.namespace
##
namespaceOverride:''
## @param replicaCount number of replicas for the deployment
replicaCount:1
@ -39,13 +43,13 @@ clusterDomain: cluster.local
## @section Image
## @param image.registry image registry, e.g. gcr.io,docker.io
## @param image.repository Image to start for this pod
## @param image.tag Visit: [Image tag](https://codeberg.org/forgejo/-/packages/container/forgejo/versions). Defaults to `appVersion` within Chart.yaml.
## @param image.tag Visit: [Image tag](https://code.forgejo.org/forgejo/-/packages/container/forgejo/versions). Defaults to `appVersion` within Chart.yaml.
## @param image.digest Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`
## @param image.pullPolicy Image pull policy
## @param image.rootless Wether or not to pull the rootless version of Forgejo
## @param image.fullOverride Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).**
image:
registry:codeberg.org
registry:code.forgejo.org
repository:forgejo/forgejo
# Overrides the image tag whose default is the chart appVersion.
tag:''
@ -97,7 +101,7 @@ podDisruptionBudget: {}
service:
## @param service.http.type Kubernetes service type for web traffic
## @param service.http.port Port number for web traffic
## @param service.http.clusterIP ClusterIP setting for http autosetup for deployment is None
## @param service.http.clusterIP ClusterIP setting for http autosetup for deployment
## @param service.http.loadBalancerIP LoadBalancer IP setting
## @param service.http.nodePort NodePort for http service
## @param service.http.externalTrafficPolicy If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation
@ -106,10 +110,12 @@ service:
## @param service.http.ipFamilies HTTP service dual-stack familiy selection,for dual-stack parameters see official kubernetes [dual-stack concept documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/).
## @param service.http.loadBalancerSourceRanges Source range filter for http loadbalancer
## @param service.http.annotations HTTP service annotations
## @param service.http.labels HTTP service additional labels
## @param service.http.loadBalancerClass Loadbalancer class
http:
type:ClusterIP
port:3000
clusterIP:None
clusterIP:
loadBalancerIP:
nodePort:
externalTrafficPolicy:
@ -118,9 +124,11 @@ service:
ipFamilies:
loadBalancerSourceRanges:[]
annotations:{}
labels:{}
loadBalancerClass:
## @param service.ssh.type Kubernetes service type for ssh traffic
## @param service.ssh.port Port number for ssh traffic
## @param service.ssh.clusterIP ClusterIP setting for ssh autosetup for deployment is None
## @param service.ssh.clusterIP ClusterIP setting for ssh autosetup for deployment
## @param service.ssh.loadBalancerIP LoadBalancer IP setting
## @param service.ssh.nodePort NodePort for ssh service
## @param service.ssh.externalTrafficPolicy If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation
@ -130,10 +138,12 @@ service:
## @param service.ssh.hostPort HostPort for ssh service
## @param service.ssh.loadBalancerSourceRanges Source range filter for ssh loadbalancer
## @param service.ssh.annotations SSH service annotations
## @param service.ssh.labels SSH service additional labels
## @param service.ssh.loadBalancerClass Loadbalancer class
## @param ingress.hosts[0].paths[0].pathType Ingress path type
## @param ingress.tls Ingress tls settings
## @extra ingress.apiVersion Specify APIVersion of ingress object. Mostly would only be used for argocd.
ingress:
enabled:false
# className: nginx
@ -170,9 +181,48 @@ ingress:
# - secretName: chart-example-tls
# hosts:
# - git.example.com
# Mostly for argocd or any other CI that uses `helm template | kubectl apply` or similar
# If helm doesn't correctly detect your ingress API version you can set it here.
# apiVersion: networking.k8s.io/v1
## @section Route
## @param route.enabled Enable route
## @param route.annotations Route annotations
## @param route.host Host to use for the route (will be assigned automatically by OKD / OpenShift is not defined)
## @param route.wildcardPolicy Wildcard policy if any for the route, currently only 'Subdomain' or 'None' is allowed.
## @param route.tls.termination termination type (see [OKD documentation](https://docs.okd.io/latest/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls))
## @param route.tls.insecureEdgeTerminationPolicy the desired behavior for insecure connections to a route (e.g. with http)
## @param route.tls.existingSecret the name of a predefined secret of type kubernetes.io/tls with both key (tls.crt and tls.key) set accordingly (if defined attributes 'certificate', 'caCertificate' and 'privateKey' are ignored)
## @param route.tls.certificate PEM encoded single certificate
## @param route.tls.caCertificate PEM encoded CA certificate or chain that issued the certificate
## @param route.tls.destinationCACertificate PEM encoded CA certificate used to verify the authenticity of final end point when 'termination' is set to 'passthrough' (ignored otherwise)
## @param signing.privateKey Inline private gpg key for signed Forgejo actions
## @param signing.privateKey Inline private GPG key for signed internal Git activity
## @param signing.existingSecret Use an existing secret to store the value of `signing.privateKey`
signing:
enabled:false
@ -338,19 +388,23 @@ gitea:
## @param gitea.admin.existingSecret Use an existing secret to store admin user credentials
## @param gitea.admin.password Password for the Forgejo admin user
## @param gitea.admin.email Email for the Forgejo admin user
## @param gitea.admin.passwordMode Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated
## @param gitea.readinessProbe.tcpSocket.port Port to probe for readiness
## @param gitea.readinessProbe.httpGet.path Path to probe for readiness
## @param gitea.readinessProbe.httpGet.port Port to probe for readiness
## @param gitea.readinessProbe.initialDelaySeconds Initial delay before readiness probe is initiated
## @param gitea.readinessProbe.timeoutSeconds Timeout for readiness probe
## @param gitea.readinessProbe.periodSeconds Period for readiness probe
@ -448,7 +643,8 @@ gitea:
# Modify the readiness probe for your needs or completely disable it by commenting out.
readinessProbe:
enabled:true
tcpSocket:
httpGet:
path:/api/healthz
port:http
initialDelaySeconds:5
timeoutSeconds:1
@ -479,10 +675,11 @@ gitea:
## @section Redis® Cluster
## @descriptionStart
## Redis® Cluster is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/redis-cluster) if enabled in the values.
## Complete Configuration can be taken from their website.
## Full configuration options are available on their website.
## Redis cluster and [Redis](#redis) cannot be enabled at the same time.
## @param redis.master.count Number of Redis master instances to deploy
redis:
enabled:false
architecture:standalone
global:
redis:
password:changeme
master:
count:1
## @section PostgreSQL HA
## @descriptionStart
## PostgreSQL HA is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql-ha) if enabled in the values.
## Complete Configuration can be taken from their website.
## Full configuration options are available on their website.
## @descriptionEnd
#
## @param postgresql-ha.enabled Enable PostgreSQL HA chart
