345 lines
11 KiB
YAML
345 lines
11 KiB
YAML
apiVersion: helm.toolkit.fluxcd.io/v2
|
|
kind: HelmRelease
|
|
metadata:
|
|
name: gitea
|
|
namespace: flux-system
|
|
spec:
|
|
chart:
|
|
spec:
|
|
chart: gitea
|
|
version: 12.5.3
|
|
reconcileStrategy: ChartVersion
|
|
sourceRef:
|
|
kind: HelmRepository
|
|
name: gitea
|
|
namespace: flux-system
|
|
targetNamespace: gitea
|
|
interval: 1m0s
|
|
install:
|
|
remediation:
|
|
retries: 3
|
|
upgrade:
|
|
remediation:
|
|
retries: 3
|
|
# Patch the init script: Gitea 1.26 removed environment-to-ini; use built-in subcommand instead.
|
|
# Remove once helm-gitea chart ships a release with the fix (commit 1baf2d0).
|
|
postRenderers:
|
|
- kustomize:
|
|
patches:
|
|
- target:
|
|
kind: Secret
|
|
name: gitea-gitea
|
|
patch: |
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: gitea-gitea
|
|
stringData:
|
|
config_environment.sh: |
|
|
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
function env2ini::log() {
|
|
printf "$${1}\n"
|
|
}
|
|
|
|
function env2ini::read_config_to_env() {
|
|
local section="$${1}"
|
|
local line="$${2}"
|
|
|
|
if [[ -z "$${line}" ]]; then
|
|
# skip empty line
|
|
return
|
|
fi
|
|
|
|
# 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
|
|
local setting="$(awk -F '=' '{print $1}' <<< "$${line}" | xargs echo -n)"
|
|
|
|
if [[ -z "$${setting}" ]]; then
|
|
env2ini::log ' ! invalid setting'
|
|
exit 1
|
|
fi
|
|
|
|
local value=''
|
|
local regex="^$${setting}(\s*)=(\s*)(.*)"
|
|
if [[ $line =~ $regex ]]; then
|
|
value="$${BASH_REMATCH[3]}"
|
|
else
|
|
env2ini::log ' ! invalid setting'
|
|
exit 1
|
|
fi
|
|
|
|
env2ini::log " + '$${setting}'"
|
|
|
|
if [[ -z "$${section}" ]]; then
|
|
export "GITEA____$${setting^^}=$${value}" # '^^' makes the variable content uppercase
|
|
return
|
|
fi
|
|
|
|
local masked_section="$${section//./_0X2E_}" # '//' instructs to replace all matches
|
|
masked_section="$${masked_section//-/_0X2D_}"
|
|
|
|
export "GITEA__$${masked_section^^}__$${setting^^}=$${value}" # '^^' makes the variable content uppercase
|
|
}
|
|
|
|
function env2ini::reload_preset_envs() {
|
|
env2ini::log "Reloading preset envs..."
|
|
|
|
while read -r line; do
|
|
if [[ -z "$${line}" ]]; then
|
|
# skip empty line
|
|
return
|
|
fi
|
|
|
|
# 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line
|
|
local setting="$(awk -F '=' '{print $1}' <<< "$${line}" | xargs echo -n)"
|
|
|
|
if [[ -z "$${setting}" ]]; then
|
|
env2ini::log ' ! invalid setting'
|
|
exit 1
|
|
fi
|
|
|
|
local value=''
|
|
local regex="^$${setting}(\s*)=(\s*)(.*)"
|
|
if [[ $line =~ $regex ]]; then
|
|
value="$${BASH_REMATCH[3]}"
|
|
else
|
|
env2ini::log ' ! invalid setting'
|
|
exit 1
|
|
fi
|
|
|
|
env2ini::log " + '$${setting}'"
|
|
|
|
export "$${setting^^}=$${value}" # '^^' makes the variable content uppercase
|
|
done < "$TMP_EXISTING_ENVS_FILE"
|
|
|
|
rm $TMP_EXISTING_ENVS_FILE
|
|
}
|
|
|
|
|
|
function env2ini::process_config_file() {
|
|
local config_file="$${1}"
|
|
local section="$(basename "$${config_file}")"
|
|
|
|
if [[ $section == '_generals_' ]]; then
|
|
env2ini::log " [ini root]"
|
|
section=''
|
|
else
|
|
env2ini::log " $${section}"
|
|
fi
|
|
|
|
while read -r line; do
|
|
env2ini::read_config_to_env "$${section}" "$${line}"
|
|
done < <(awk 1 "$${config_file}") # Helm .toYaml trims the trailing new line which breaks line processing; awk 1 ... adds it back while reading
|
|
}
|
|
|
|
function env2ini::load_config_sources() {
|
|
local path="$${1}"
|
|
|
|
if [[ -d "$${path}" ]]; then
|
|
env2ini::log "Processing $(basename "$${path}")..."
|
|
|
|
while read -d '' configFile; do
|
|
env2ini::process_config_file "$${configFile}"
|
|
done < <(find "$${path}" -type l -not -name '..data' -print0)
|
|
|
|
env2ini::log "\n"
|
|
fi
|
|
}
|
|
|
|
function env2ini::generate_initial_secrets() {
|
|
# These environment variables will either be
|
|
# - overwritten with user defined values,
|
|
# - initially used to set up Gitea
|
|
# Anyway, they won't harm existing app.ini files
|
|
|
|
export GITEA__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
|
|
export GITEA__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
|
|
export GITEA__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
|
|
export GITEA__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
|
|
|
|
env2ini::log "...Initial secrets generated\n"
|
|
}
|
|
|
|
# save existing envs prior to script execution. Necessary to keep order of preexisting and custom envs
|
|
env | (grep -e '^GITEA__' || [[ $? == 1 ]]) > $TMP_EXISTING_ENVS_FILE
|
|
|
|
# MUST BE CALLED BEFORE OTHER CONFIGURATION
|
|
env2ini::generate_initial_secrets
|
|
|
|
env2ini::load_config_sources "$ENV_TO_INI_MOUNT_POINT/inlines/"
|
|
env2ini::load_config_sources "$ENV_TO_INI_MOUNT_POINT/additionals/"
|
|
|
|
# load existing envs to override auto generated envs
|
|
env2ini::reload_preset_envs
|
|
|
|
env2ini::log "=== All configuration sources loaded ===\n"
|
|
|
|
# safety to prevent rewrite of secret keys if an app.ini already exists
|
|
if [ -f $${GITEA_APP_INI} ]; then
|
|
env2ini::log 'An app.ini file already exists. To prevent overwriting secret keys, these settings are dropped and remain unchanged:'
|
|
env2ini::log ' - security.INTERNAL_TOKEN'
|
|
env2ini::log ' - security.SECRET_KEY'
|
|
env2ini::log ' - oauth2.JWT_SECRET'
|
|
env2ini::log ' - server.LFS_JWT_SECRET'
|
|
|
|
unset GITEA__SECURITY__INTERNAL_TOKEN
|
|
unset GITEA__SECURITY__SECRET_KEY
|
|
unset GITEA__OAUTH2__JWT_SECRET
|
|
unset GITEA__SERVER__LFS_JWT_SECRET
|
|
fi
|
|
|
|
gitea config edit-ini --apply-env --config "$GITEA_APP_INI" --out "$GITEA_APP_INI"
|
|
values:
|
|
strategy:
|
|
type: Recreate
|
|
|
|
podSecurityContext:
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
|
|
image:
|
|
# renovate: currentValue=1.26.2-rootless currentDigest=sha256:c5c21a7705a16f2b2369384a3b7d67c5ed761a818bbb0a55187b5cf98cdc2e68
|
|
|
|
tag: 1.26.2
|
|
|
|
digest: sha256:c5c21a7705a16f2b2369384a3b7d67c5ed761a818bbb0a55187b5cf98cdc2e68
|
|
rootless: true
|
|
pullPolicy: IfNotPresent
|
|
|
|
postgresql-ha:
|
|
enabled: false
|
|
postgresql:
|
|
enabled: false
|
|
valkey-cluster:
|
|
enabled: false
|
|
valkey:
|
|
enabled: false
|
|
|
|
persistence:
|
|
enabled: true
|
|
create: true
|
|
claimName: gitea-data
|
|
size: 20Gi
|
|
storageClass: nfs-synology-ssd
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
|
|
extraVolumes:
|
|
- name: gitea-extra
|
|
persistentVolumeClaim:
|
|
claimName: gitea-extra
|
|
extraContainerVolumeMounts:
|
|
- name: gitea-extra
|
|
mountPath: /data/extra
|
|
|
|
resources:
|
|
requests:
|
|
cpu: 100m
|
|
memory: 256Mi
|
|
limits:
|
|
memory: 1Gi
|
|
|
|
service:
|
|
http:
|
|
type: ClusterIP
|
|
port: 3000
|
|
ssh:
|
|
type: NodePort
|
|
port: 22
|
|
nodePort: 32022
|
|
|
|
ingress:
|
|
enabled: true
|
|
className: traefik
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: letsencrypt
|
|
hosts:
|
|
- host: ${GITEA_HOST}
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
tls:
|
|
- secretName: gitea-tls
|
|
hosts:
|
|
- ${GITEA_HOST}
|
|
|
|
gitea:
|
|
admin:
|
|
existingSecret: gitea-admin
|
|
passwordMode: keepUpdated
|
|
|
|
oauth:
|
|
- name: authelia
|
|
provider: openidConnect
|
|
existingSecret: gitea-oauth-authelia
|
|
autoDiscoverUrl: https://auth.${AUTHELIA_DOMAIN}/.well-known/openid-configuration
|
|
|
|
config:
|
|
repository:
|
|
DEFAULT_BRANCH: master
|
|
server:
|
|
DOMAIN: ${GITEA_HOST}
|
|
ROOT_URL: https://${GITEA_HOST}/
|
|
SSH_DOMAIN: ${GITEA_HOST}
|
|
SSH_PORT: "22"
|
|
SSH_LISTEN_PORT: "2222"
|
|
LANDING_PAGE: login
|
|
service:
|
|
DISABLE_REGISTRATION: true
|
|
ALLOW_ONLY_EXTERNAL_REGISTRATION: true
|
|
SHOW_REGISTRATION_BUTTON: false
|
|
ENABLE_PASSWORD_SIGNIN_FORM: false
|
|
ENABLE_PASSKEY_AUTHENTICATION: false
|
|
REQUIRE_SIGNIN_VIEW: false
|
|
|
|
"service.explore":
|
|
DISABLE_USERS_PAGE: true
|
|
DISABLE_ORGANIZATIONS_PAGE: true
|
|
openid:
|
|
ENABLE_OPENID_SIGNIN: false
|
|
ENABLE_OPENID_SIGNUP: false
|
|
oauth2_client:
|
|
ENABLE_AUTO_REGISTRATION: true
|
|
USERNAME: preferred_username
|
|
OPENID_CONNECT_SCOPES: "email profile groups"
|
|
ACCOUNT_LINKING: auto
|
|
UPDATE_AVATAR: true
|
|
REGISTER_EMAIL_CONFIRM: false
|
|
|
|
actions:
|
|
ENABLED: true
|
|
DEFAULT_ACTIONS_URL: github
|
|
LOG_RETENTION_DAYS: 7
|
|
ARTIFACT_RETENTION_DAYS: 7
|
|
LOG_COMPRESSION: zstd
|
|
|
|
"storage.packages":
|
|
PATH: /data/extra/packages
|
|
"storage.actions_log":
|
|
PATH: /data/extra/actions_log
|
|
"storage.actions_artifacts":
|
|
STORAGE_TYPE: local
|
|
PATH: /data/extra/actions_artifacts
|
|
|
|
additionalConfigFromEnvs:
|
|
- name: GITEA__database__DB_TYPE
|
|
value: postgres
|
|
- name: GITEA__database__HOST
|
|
value: gitea-db:5432
|
|
- name: GITEA__database__NAME
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: gitea-credentials
|
|
key: DB_DATABASE_NAME
|
|
- name: GITEA__database__USER
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: gitea-credentials
|
|
key: DB_USERNAME
|
|
- name: GITEA__database__PASSWD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: gitea-credentials
|
|
key: DB_PASSWORD
|