Files
homelab/kubernetes/app/gitea/release.yaml
T

345 lines
11 KiB
YAML

apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: gitea
namespace: flux-system
spec:
chart:
spec:
chart: gitea
version: 12.5.3
reconcileStrategy: ChartVersion
sourceRef:
kind: HelmRepository
name: gitea
namespace: flux-system
targetNamespace: gitea
interval: 1m0s
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
# Patch the init script: Gitea 1.26 removed environment-to-ini; use built-in subcommand instead.
# Remove once helm-gitea chart ships a release with the fix (commit 1baf2d0).
postRenderers:
- kustomize:
patches:
- target:
kind: Secret
name: gitea-gitea
patch: |
apiVersion: v1
kind: Secret
metadata:
name: gitea-gitea
stringData:
config_environment.sh: |
#!/usr/bin/env bash
set -euo pipefail
function env2ini::log() {
printf "$${1}\n"
}
function env2ini::read_config_to_env() {
local section="$${1}"
local line="$${2}"
if [[ -z "$${line}" ]]; then
# skip empty line
return
fi
# 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
local setting="$(awk -F '=' '{print $1}' <<< "$${line}" | xargs echo -n)"
if [[ -z "$${setting}" ]]; then
env2ini::log ' ! invalid setting'
exit 1
fi
local value=''
local regex="^$${setting}(\s*)=(\s*)(.*)"
if [[ $line =~ $regex ]]; then
value="$${BASH_REMATCH[3]}"
else
env2ini::log ' ! invalid setting'
exit 1
fi
env2ini::log " + '$${setting}'"
if [[ -z "$${section}" ]]; then
export "GITEA____$${setting^^}=$${value}" # '^^' makes the variable content uppercase
return
fi
local masked_section="$${section//./_0X2E_}" # '//' instructs to replace all matches
masked_section="$${masked_section//-/_0X2D_}"
export "GITEA__$${masked_section^^}__$${setting^^}=$${value}" # '^^' makes the variable content uppercase
}
function env2ini::reload_preset_envs() {
env2ini::log "Reloading preset envs..."
while read -r line; do
if [[ -z "$${line}" ]]; then
# skip empty line
return
fi
# 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
local setting="$(awk -F '=' '{print $1}' <<< "$${line}" | xargs echo -n)"
if [[ -z "$${setting}" ]]; then
env2ini::log ' ! invalid setting'
exit 1
fi
local value=''
local regex="^$${setting}(\s*)=(\s*)(.*)"
if [[ $line =~ $regex ]]; then
value="$${BASH_REMATCH[3]}"
else
env2ini::log ' ! invalid setting'
exit 1
fi
env2ini::log " + '$${setting}'"
export "$${setting^^}=$${value}" # '^^' makes the variable content uppercase
done < "$TMP_EXISTING_ENVS_FILE"
rm $TMP_EXISTING_ENVS_FILE
}
function env2ini::process_config_file() {
local config_file="$${1}"
local section="$(basename "$${config_file}")"
if [[ $section == '_generals_' ]]; then
env2ini::log " [ini root]"
section=''
else
env2ini::log " $${section}"
fi
while read -r line; do
env2ini::read_config_to_env "$${section}" "$${line}"
done < <(awk 1 "$${config_file}") # Helm .toYaml trims the trailing new line which breaks line processing; awk 1 ... adds it back while reading
}
function env2ini::load_config_sources() {
local path="$${1}"
if [[ -d "$${path}" ]]; then
env2ini::log "Processing $(basename "$${path}")..."
while read -d '' configFile; do
env2ini::process_config_file "$${configFile}"
done < <(find "$${path}" -type l -not -name '..data' -print0)
env2ini::log "\n"
fi
}
function env2ini::generate_initial_secrets() {
# These environment variables will either be
# - overwritten with user defined values,
# - initially used to set up Gitea
# Anyway, they won't harm existing app.ini files
export GITEA__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
export GITEA__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
export GITEA__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
export GITEA__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
env2ini::log "...Initial secrets generated\n"
}
# save existing envs prior to script execution. Necessary to keep order of preexisting and custom envs
env | (grep -e '^GITEA__' || [[ $? == 1 ]]) > $TMP_EXISTING_ENVS_FILE
# MUST BE CALLED BEFORE OTHER CONFIGURATION
env2ini::generate_initial_secrets
env2ini::load_config_sources "$ENV_TO_INI_MOUNT_POINT/inlines/"
env2ini::load_config_sources "$ENV_TO_INI_MOUNT_POINT/additionals/"
# load existing envs to override auto generated envs
env2ini::reload_preset_envs
env2ini::log "=== All configuration sources loaded ===\n"
# safety to prevent rewrite of secret keys if an app.ini already exists
if [ -f $${GITEA_APP_INI} ]; then
env2ini::log 'An app.ini file already exists. To prevent overwriting secret keys, these settings are dropped and remain unchanged:'
env2ini::log ' - security.INTERNAL_TOKEN'
env2ini::log ' - security.SECRET_KEY'
env2ini::log ' - oauth2.JWT_SECRET'
env2ini::log ' - server.LFS_JWT_SECRET'
unset GITEA__SECURITY__INTERNAL_TOKEN
unset GITEA__SECURITY__SECRET_KEY
unset GITEA__OAUTH2__JWT_SECRET
unset GITEA__SERVER__LFS_JWT_SECRET
fi
gitea config edit-ini --apply-env --config "$GITEA_APP_INI" --out "$GITEA_APP_INI"
values:
strategy:
type: Recreate
podSecurityContext:
seccompProfile:
type: RuntimeDefault
image:
# renovate: currentValue=1.26.3-rootless currentDigest=sha256:4d1d79638bef7a4a82e3a269b95fae1bbb9bcba1258dd84fba7ba3a3a49581e3
tag: 1.26.3
digest: sha256:4d1d79638bef7a4a82e3a269b95fae1bbb9bcba1258dd84fba7ba3a3a49581e3
rootless: true
pullPolicy: IfNotPresent
postgresql-ha:
enabled: false
postgresql:
enabled: false
valkey-cluster:
enabled: false
valkey:
enabled: false
persistence:
enabled: true
create: true
claimName: gitea-data
size: 20Gi
storageClass: nfs-synology-ssd
accessModes:
- ReadWriteOnce
extraVolumes:
- name: gitea-extra
persistentVolumeClaim:
claimName: gitea-extra
extraContainerVolumeMounts:
- name: gitea-extra
mountPath: /data/extra
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
memory: 1Gi
service:
http:
type: ClusterIP
port: 3000
ssh:
type: NodePort
port: 22
nodePort: 32022
ingress:
enabled: true
className: traefik
annotations:
cert-manager.io/cluster-issuer: letsencrypt
hosts:
- host: ${GITEA_HOST}
paths:
- path: /
pathType: Prefix
tls:
- secretName: gitea-tls
hosts:
- ${GITEA_HOST}
gitea:
admin:
existingSecret: gitea-admin
passwordMode: keepUpdated
oauth:
- name: authelia
provider: openidConnect
existingSecret: gitea-oauth-authelia
autoDiscoverUrl: https://auth.${AUTHELIA_DOMAIN}/.well-known/openid-configuration
config:
repository:
DEFAULT_BRANCH: master
server:
DOMAIN: ${GITEA_HOST}
ROOT_URL: https://${GITEA_HOST}/
SSH_DOMAIN: ${GITEA_HOST}
SSH_PORT: "22"
SSH_LISTEN_PORT: "2222"
LANDING_PAGE: login
service:
DISABLE_REGISTRATION: true
ALLOW_ONLY_EXTERNAL_REGISTRATION: true
SHOW_REGISTRATION_BUTTON: false
ENABLE_PASSWORD_SIGNIN_FORM: false
ENABLE_PASSKEY_AUTHENTICATION: false
REQUIRE_SIGNIN_VIEW: false
"service.explore":
DISABLE_USERS_PAGE: true
DISABLE_ORGANIZATIONS_PAGE: true
openid:
ENABLE_OPENID_SIGNIN: false
ENABLE_OPENID_SIGNUP: false
oauth2_client:
ENABLE_AUTO_REGISTRATION: true
USERNAME: preferred_username
OPENID_CONNECT_SCOPES: "email profile groups"
ACCOUNT_LINKING: auto
UPDATE_AVATAR: true
REGISTER_EMAIL_CONFIRM: false
actions:
ENABLED: true
DEFAULT_ACTIONS_URL: github
LOG_RETENTION_DAYS: 7
ARTIFACT_RETENTION_DAYS: 7
LOG_COMPRESSION: zstd
"storage.packages":
PATH: /data/extra/packages
"storage.actions_log":
PATH: /data/extra/actions_log
"storage.actions_artifacts":
STORAGE_TYPE: local
PATH: /data/extra/actions_artifacts
additionalConfigFromEnvs:
- name: GITEA__database__DB_TYPE
value: postgres
- name: GITEA__database__HOST
value: gitea-db:5432
- name: GITEA__database__NAME
valueFrom:
secretKeyRef:
name: gitea-credentials
key: DB_DATABASE_NAME
- name: GITEA__database__USER
valueFrom:
secretKeyRef:
name: gitea-credentials
key: DB_USERNAME
- name: GITEA__database__PASSWD
valueFrom:
secretKeyRef:
name: gitea-credentials
key: DB_PASSWORD