From 4c9b488aaa949e7f95b03fd3b54312d68d6acd5c Mon Sep 17 00:00:00 2001 From: dvirlabs Date: Fri, 30 May 2025 12:27:19 +0300 Subject: [PATCH] Change gitea chart from gitea-bitnami to gitea official chart --- .../{gitea-bitnami.yaml => gitea.yaml} | 6 +- charts/gitea-bitnami/.helmignore | 25 - charts/gitea-bitnami/Chart.lock | 9 - charts/gitea-bitnami/Chart.yaml | 39 - charts/gitea-bitnami/README.md | 418 ---- charts/gitea-bitnami/charts/common/Chart.yaml | 23 - charts/gitea-bitnami/charts/common/README.md | 235 -- .../charts/common/templates/_affinities.tpl | 155 -- .../charts/common/templates/_capabilities.tpl | 253 --- .../common/templates/_compatibility.tpl | 46 - .../charts/common/templates/_errors.tpl | 85 - .../charts/common/templates/_images.tpl | 115 - .../charts/common/templates/_ingress.tpl | 73 - .../charts/common/templates/_labels.tpl | 46 - .../charts/common/templates/_names.tpl | 71 - .../charts/common/templates/_resources.tpl | 50 - .../charts/common/templates/_secrets.tpl | 192 -- .../charts/common/templates/_storage.tpl | 21 - .../charts/common/templates/_tplvalues.tpl | 52 - .../charts/common/templates/_utils.tpl | 77 - .../charts/common/templates/_warnings.tpl | 109 - .../templates/validations/_cassandra.tpl | 51 - .../common/templates/validations/_mariadb.tpl | 108 - .../common/templates/validations/_mongodb.tpl | 67 - .../common/templates/validations/_mysql.tpl | 67 - .../templates/validations/_postgresql.tpl | 105 - .../common/templates/validations/_redis.tpl | 48 - .../templates/validations/_validations.tpl | 51 - .../gitea-bitnami/charts/common/values.yaml | 8 - .../charts/postgresql/.helmignore | 25 - .../charts/postgresql/Chart.lock | 6 - .../charts/postgresql/Chart.yaml | 38 - .../gitea-bitnami/charts/postgresql/README.md | 1142 ---------- .../postgresql/charts/common/.helmignore | 26 - .../postgresql/charts/common/Chart.yaml | 23 - .../charts/postgresql/charts/common/README.md | 235 -- .../charts/common/templates/_affinities.tpl | 155 -- .../charts/common/templates/_capabilities.tpl | 253 --- .../common/templates/_compatibility.tpl | 46 - .../charts/common/templates/_errors.tpl | 85 - .../charts/common/templates/_images.tpl | 115 - .../charts/common/templates/_ingress.tpl | 73 - .../charts/common/templates/_labels.tpl | 46 - .../charts/common/templates/_names.tpl | 71 - .../charts/common/templates/_resources.tpl | 50 - .../charts/common/templates/_secrets.tpl | 192 -- .../charts/common/templates/_storage.tpl | 21 - .../charts/common/templates/_tplvalues.tpl | 52 - .../charts/common/templates/_utils.tpl | 77 - .../charts/common/templates/_warnings.tpl | 109 - .../templates/validations/_cassandra.tpl | 51 - .../common/templates/validations/_mariadb.tpl | 108 - .../common/templates/validations/_mongodb.tpl | 67 - .../common/templates/validations/_mysql.tpl | 67 - .../templates/validations/_postgresql.tpl | 105 - .../common/templates/validations/_redis.tpl | 48 - .../templates/validations/_validations.tpl | 51 - .../postgresql/charts/common/values.yaml | 8 - .../charts/postgresql/templates/NOTES.txt | 121 -- .../charts/postgresql/templates/_helpers.tpl | 455 ---- .../postgresql/templates/backup/cronjob.yaml | 138 -- .../templates/backup/networkpolicy.yaml | 32 - .../postgresql/templates/backup/pvc.yaml | 34 - .../postgresql/templates/extra-list.yaml | 9 - .../templates/primary/configmap.yaml | 26 - .../templates/primary/extended-configmap.yaml | 20 - .../primary/initialization-configmap.yaml | 17 - .../templates/primary/metrics-configmap.yaml | 18 - .../templates/primary/metrics-svc.yaml | 31 - .../templates/primary/networkpolicy.yaml | 78 - .../postgresql/templates/primary/pdb.yaml | 29 - .../primary/preinitialization-configmap.yaml | 17 - .../templates/primary/servicemonitor.yaml | 46 - .../templates/primary/statefulset.yaml | 705 ------ .../templates/primary/svc-headless.yaml | 31 - .../postgresql/templates/primary/svc.yaml | 58 - .../postgresql/templates/prometheusrule.yaml | 22 - .../charts/postgresql/templates/psp.yaml | 42 - .../templates/read/extended-configmap.yaml | 20 - .../templates/read/metrics-configmap.yaml | 18 - .../templates/read/metrics-svc.yaml | 31 - .../templates/read/networkpolicy.yaml | 80 - .../charts/postgresql/templates/read/pdb.yaml | 29 - .../templates/read/servicemonitor.yaml | 46 - .../templates/read/statefulset.yaml | 588 ----- .../templates/read/svc-headless.yaml | 33 - .../charts/postgresql/templates/read/svc.yaml | 60 - .../charts/postgresql/templates/role.yaml | 32 - .../postgresql/templates/rolebinding.yaml | 24 - .../charts/postgresql/templates/secrets.yaml | 120 - .../postgresql/templates/serviceaccount.yaml | 18 - .../postgresql/templates/tls-secrets.yaml | 30 - .../templates/update-password/job.yaml | 235 -- .../templates/update-password/new-secret.yaml | 32 - .../update-password/previous-secret.yaml | 32 - .../charts/postgresql/values.schema.json | 156 -- .../charts/postgresql/values.yaml | 1930 ----------------- charts/gitea-bitnami/templates/NOTES.txt | 80 - charts/gitea-bitnami/templates/_helpers.tpl | 174 -- .../gitea-bitnami/templates/deployment.yaml | 316 --- .../templates/externaldb-secrets.yaml | 19 - .../gitea-bitnami/templates/extra-list.yaml | 9 - charts/gitea-bitnami/templates/ingress.yaml | 59 - .../templates/networkpolicy.yaml | 80 - charts/gitea-bitnami/templates/pdb.yaml | 26 - charts/gitea-bitnami/templates/pv.yaml | 27 - charts/gitea-bitnami/templates/pvc.yaml | 38 - charts/gitea-bitnami/templates/secrets.yaml | 26 - .../templates/service-account.yaml | 18 - charts/gitea-bitnami/templates/svc.yaml | 59 - .../gitea-bitnami/templates/tls-secrets.yaml | 44 - charts/gitea-bitnami/values.yaml | 785 ------- charts/helm-gitea/.commitlintrc.json | 7 + charts/helm-gitea/.editorconfig | 12 + .../.gitea/PULL_REQUEST_TEMPLATE.md | 44 + .../helm-gitea/.gitea/workflows/changelog.yml | 32 + .../.gitea/workflows/commitlint.yml | 19 + .../.gitea/workflows/release-version.yml | 96 + .../helm-gitea/.gitea/workflows/test-pr.yml | 45 + charts/helm-gitea/.gitignore | 4 + charts/helm-gitea/.gitmodules | 12 + charts/helm-gitea/.gitsv/config.yaml | 57 + .../charts/common => helm-gitea}/.helmignore | 23 +- charts/helm-gitea/.markdownlint.yaml | 150 ++ charts/helm-gitea/.markdownlintignore | 4 + charts/helm-gitea/.npmrc | 1 + charts/helm-gitea/.prettierignore | 1 + charts/helm-gitea/.vscode/extensions.json | 9 + charts/helm-gitea/.vscode/settings.json | 15 + charts/helm-gitea/.yamllint | 20 + charts/helm-gitea/CODEOWNERS | 1 + charts/helm-gitea/CONTRIBUTING.md | 80 + charts/helm-gitea/Chart.lock | 15 + charts/helm-gitea/Chart.yaml | 55 + charts/helm-gitea/LICENSE | 24 + charts/helm-gitea/Makefile | 26 + charts/helm-gitea/README.md | 1579 ++++++++++++++ charts/helm-gitea/docs/ha-setup.md | 178 ++ charts/helm-gitea/package-lock.json | 1663 ++++++++++++++ charts/helm-gitea/package.json | 19 + charts/helm-gitea/renovate.json5 | 124 ++ charts/helm-gitea/scripts/act_runner/token.sh | 43 + .../config/config_environment.sh | 154 ++ .../init/configure_gpg_environment.sh | 4 + charts/helm-gitea/templates/NOTES.txt | 36 + charts/helm-gitea/templates/_helpers.tpl | 471 ++++ .../gitea/check-actions-not-present.yaml | 3 + charts/helm-gitea/templates/gitea/config.yaml | 57 + .../templates/gitea/deployment.yaml | 426 ++++ .../templates/gitea/deprecation.yaml | 34 + .../templates/gitea/extra-list.yaml | 8 + .../templates/gitea/gpg-secret.yaml | 17 + .../helm-gitea/templates/gitea/http-svc.yaml | 54 + .../helm-gitea/templates/gitea/ingress.yaml | 62 + charts/helm-gitea/templates/gitea/init.yaml | 228 ++ .../templates/gitea/metrics-secret.yaml | 12 + .../templates/gitea/poddisruptionbudget.yaml | 18 + charts/helm-gitea/templates/gitea/pvc.yaml | 26 + .../templates/gitea/serviceaccount.yaml | 21 + .../templates/gitea/servicemonitor.yaml | 43 + .../helm-gitea/templates/gitea/ssh-svc.yaml | 57 + .../templates/tests/test-http-connection.yaml | 18 + .../bash/test_helper/common-setup.bash | 7 + .../config/config_environment.bats | 204 ++ .../helm/check-actions-not-present.yaml | 12 + .../unittests/helm/config/actions-config.yaml | 24 + .../unittests/helm/config/cache-config.yaml | 66 + .../config/metrics-section_metrics-token.yaml | 58 + .../unittests/helm/config/queue-config.yaml | 66 + .../helm/config/server-section_domain.yaml | 67 + .../unittests/helm/config/session-config.yaml | 66 + ...customization-integrity-postgresql-ha.yaml | 121 ++ .../customization-integrity-postgresql.yaml | 88 + ...ustomization-integrity-valkey-cluster.yaml | 90 + .../customization-integrity-valkey.yaml | 52 + .../dependency-checks/major-image-bump.yaml | 57 + .../unittests/helm/deployment/HA.yaml | 59 + .../unittests/helm/deployment/basic.yaml | 95 + .../deployment-additional-config.yaml | 150 ++ .../helm/deployment/image-configuration.yaml | 110 + .../deployment/ingress-configuration.yaml | 45 + .../helm/deployment/inline-config.yaml | 33 + .../unittests/helm/deployment/probes.yaml | 188 ++ .../helm/deployment/sidecar-container.yaml | 21 + .../helm/deployment/signing-disabled.yaml | 40 + .../helm/deployment/signing-enabled.yaml | 98 + .../helm/deployment/ssh-configuration.yaml | 64 + .../storage-class-configuration.yaml | 39 + .../helm/deployment/svc-configuration.yaml | 118 + .../helm/gpg-secret/signing-disabled.yaml | 13 + .../helm/gpg-secret/signing-enabled.yaml | 40 + .../unittests/helm/ingress/basic.yaml | 93 + .../helm/ingress/implicit-defaults.yaml | 23 + .../unittests/helm/ingress/ingress.tpl.yaml | 45 + .../helm/ingress/structured-paths.yaml | 26 + .../helm-gitea/unittests/helm/init/basic.yaml | 15 + .../init_directory_structure.sh-rootless.yaml | 82 + .../init/init_directory_structure.sh.yaml | 72 + ...etrics-secret-servicemonitor-disabled.yaml | 23 + ...metrics-secret-servicemonitor-enabled.yaml | 33 + .../unittests/helm/pvc/pvc-configuration.yaml | 19 + .../unittests/helm/serviceaccount/basic.yaml | 82 + .../helm/serviceaccount/reference.yaml | 32 + .../unittests/helm/servicemonitor/basic.yaml | 89 + .../servicemonitor-disabled.yaml | 23 + .../servicemonitor-enabled.yaml | 70 + .../helm/values-conflicting-checks.yaml | 14 + charts/helm-gitea/values.yaml | 620 ++++++ manifests/gitea-bitnami/values.yaml | 69 - manifests/gitea/values.yaml | 0 210 files changed, 9558 insertions(+), 13223 deletions(-) rename argocd-apps/{gitea-bitnami.yaml => gitea.yaml} (78%) delete mode 100644 charts/gitea-bitnami/.helmignore delete mode 100644 charts/gitea-bitnami/Chart.lock delete mode 100644 charts/gitea-bitnami/Chart.yaml delete mode 100644 charts/gitea-bitnami/README.md delete mode 100644 charts/gitea-bitnami/charts/common/Chart.yaml delete mode 100644 charts/gitea-bitnami/charts/common/README.md delete mode 100644 charts/gitea-bitnami/charts/common/templates/_affinities.tpl delete mode 100644 charts/gitea-bitnami/charts/common/templates/_capabilities.tpl delete mode 100644 charts/gitea-bitnami/charts/common/templates/_compatibility.tpl delete mode 100644 charts/gitea-bitnami/charts/common/templates/_errors.tpl delete mode 100644 charts/gitea-bitnami/charts/common/templates/_images.tpl delete mode 100644 charts/gitea-bitnami/charts/common/templates/_ingress.tpl delete mode 100644 charts/gitea-bitnami/charts/common/templates/_labels.tpl delete mode 100644 charts/gitea-bitnami/charts/common/templates/_names.tpl delete mode 100644 charts/gitea-bitnami/charts/common/templates/_resources.tpl delete mode 100644 charts/gitea-bitnami/charts/common/templates/_secrets.tpl delete mode 100644 charts/gitea-bitnami/charts/common/templates/_storage.tpl delete mode 100644 charts/gitea-bitnami/charts/common/templates/_tplvalues.tpl delete mode 100644 charts/gitea-bitnami/charts/common/templates/_utils.tpl delete mode 100644 charts/gitea-bitnami/charts/common/templates/_warnings.tpl delete mode 100644 charts/gitea-bitnami/charts/common/templates/validations/_cassandra.tpl delete mode 100644 charts/gitea-bitnami/charts/common/templates/validations/_mariadb.tpl delete mode 100644 charts/gitea-bitnami/charts/common/templates/validations/_mongodb.tpl delete mode 100644 charts/gitea-bitnami/charts/common/templates/validations/_mysql.tpl delete mode 100644 charts/gitea-bitnami/charts/common/templates/validations/_postgresql.tpl delete mode 100644 charts/gitea-bitnami/charts/common/templates/validations/_redis.tpl delete mode 100644 charts/gitea-bitnami/charts/common/templates/validations/_validations.tpl delete mode 100644 charts/gitea-bitnami/charts/common/values.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/.helmignore delete mode 100644 charts/gitea-bitnami/charts/postgresql/Chart.lock delete mode 100644 charts/gitea-bitnami/charts/postgresql/Chart.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/README.md delete mode 100644 charts/gitea-bitnami/charts/postgresql/charts/common/.helmignore delete mode 100644 charts/gitea-bitnami/charts/postgresql/charts/common/Chart.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/charts/common/README.md delete mode 100644 charts/gitea-bitnami/charts/postgresql/charts/common/templates/_affinities.tpl delete mode 100644 charts/gitea-bitnami/charts/postgresql/charts/common/templates/_capabilities.tpl delete mode 100644 charts/gitea-bitnami/charts/postgresql/charts/common/templates/_compatibility.tpl delete mode 100644 charts/gitea-bitnami/charts/postgresql/charts/common/templates/_errors.tpl delete mode 100644 charts/gitea-bitnami/charts/postgresql/charts/common/templates/_images.tpl delete mode 100644 charts/gitea-bitnami/charts/postgresql/charts/common/templates/_ingress.tpl delete mode 100644 charts/gitea-bitnami/charts/postgresql/charts/common/templates/_labels.tpl delete mode 100644 charts/gitea-bitnami/charts/postgresql/charts/common/templates/_names.tpl delete mode 100644 charts/gitea-bitnami/charts/postgresql/charts/common/templates/_resources.tpl delete mode 100644 charts/gitea-bitnami/charts/postgresql/charts/common/templates/_secrets.tpl delete mode 100644 charts/gitea-bitnami/charts/postgresql/charts/common/templates/_storage.tpl delete mode 100644 charts/gitea-bitnami/charts/postgresql/charts/common/templates/_tplvalues.tpl delete mode 100644 charts/gitea-bitnami/charts/postgresql/charts/common/templates/_utils.tpl delete mode 100644 charts/gitea-bitnami/charts/postgresql/charts/common/templates/_warnings.tpl delete mode 100644 charts/gitea-bitnami/charts/postgresql/charts/common/templates/validations/_cassandra.tpl delete mode 100644 charts/gitea-bitnami/charts/postgresql/charts/common/templates/validations/_mariadb.tpl delete mode 100644 charts/gitea-bitnami/charts/postgresql/charts/common/templates/validations/_mongodb.tpl delete mode 100644 charts/gitea-bitnami/charts/postgresql/charts/common/templates/validations/_mysql.tpl delete mode 100644 charts/gitea-bitnami/charts/postgresql/charts/common/templates/validations/_postgresql.tpl delete mode 100644 charts/gitea-bitnami/charts/postgresql/charts/common/templates/validations/_redis.tpl delete mode 100644 charts/gitea-bitnami/charts/postgresql/charts/common/templates/validations/_validations.tpl delete mode 100644 charts/gitea-bitnami/charts/postgresql/charts/common/values.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/NOTES.txt delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/_helpers.tpl delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/backup/cronjob.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/backup/networkpolicy.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/backup/pvc.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/extra-list.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/primary/configmap.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/primary/extended-configmap.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/primary/initialization-configmap.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/primary/metrics-configmap.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/primary/metrics-svc.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/primary/networkpolicy.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/primary/pdb.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/primary/preinitialization-configmap.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/primary/servicemonitor.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/primary/statefulset.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/primary/svc-headless.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/primary/svc.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/prometheusrule.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/psp.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/read/extended-configmap.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/read/metrics-configmap.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/read/metrics-svc.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/read/networkpolicy.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/read/pdb.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/read/servicemonitor.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/read/statefulset.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/read/svc-headless.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/read/svc.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/role.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/rolebinding.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/secrets.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/serviceaccount.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/tls-secrets.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/update-password/job.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/update-password/new-secret.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/templates/update-password/previous-secret.yaml delete mode 100644 charts/gitea-bitnami/charts/postgresql/values.schema.json delete mode 100644 charts/gitea-bitnami/charts/postgresql/values.yaml delete mode 100644 charts/gitea-bitnami/templates/NOTES.txt delete mode 100644 charts/gitea-bitnami/templates/_helpers.tpl delete mode 100644 charts/gitea-bitnami/templates/deployment.yaml delete mode 100644 charts/gitea-bitnami/templates/externaldb-secrets.yaml delete mode 100644 charts/gitea-bitnami/templates/extra-list.yaml delete mode 100644 charts/gitea-bitnami/templates/ingress.yaml delete mode 100644 charts/gitea-bitnami/templates/networkpolicy.yaml delete mode 100644 charts/gitea-bitnami/templates/pdb.yaml delete mode 100644 charts/gitea-bitnami/templates/pv.yaml delete mode 100644 charts/gitea-bitnami/templates/pvc.yaml delete mode 100644 charts/gitea-bitnami/templates/secrets.yaml delete mode 100644 charts/gitea-bitnami/templates/service-account.yaml delete mode 100644 charts/gitea-bitnami/templates/svc.yaml delete mode 100644 charts/gitea-bitnami/templates/tls-secrets.yaml delete mode 100644 charts/gitea-bitnami/values.yaml create mode 100644 charts/helm-gitea/.commitlintrc.json create mode 100644 charts/helm-gitea/.editorconfig create mode 100644 charts/helm-gitea/.gitea/PULL_REQUEST_TEMPLATE.md create mode 100644 charts/helm-gitea/.gitea/workflows/changelog.yml create mode 100644 charts/helm-gitea/.gitea/workflows/commitlint.yml create mode 100644 charts/helm-gitea/.gitea/workflows/release-version.yml create mode 100644 charts/helm-gitea/.gitea/workflows/test-pr.yml create mode 100644 charts/helm-gitea/.gitignore create mode 100644 charts/helm-gitea/.gitmodules create mode 100644 charts/helm-gitea/.gitsv/config.yaml rename charts/{gitea-bitnami/charts/common => helm-gitea}/.helmignore (57%) create mode 100644 charts/helm-gitea/.markdownlint.yaml create mode 100644 charts/helm-gitea/.markdownlintignore create mode 100644 charts/helm-gitea/.npmrc create mode 100644 charts/helm-gitea/.prettierignore create mode 100644 charts/helm-gitea/.vscode/extensions.json create mode 100644 charts/helm-gitea/.vscode/settings.json create mode 100644 charts/helm-gitea/.yamllint create mode 100644 charts/helm-gitea/CODEOWNERS create mode 100644 charts/helm-gitea/CONTRIBUTING.md create mode 100644 charts/helm-gitea/Chart.lock create mode 100644 charts/helm-gitea/Chart.yaml create mode 100644 charts/helm-gitea/LICENSE create mode 100644 charts/helm-gitea/Makefile create mode 100644 charts/helm-gitea/README.md create mode 100644 charts/helm-gitea/docs/ha-setup.md create mode 100644 charts/helm-gitea/package-lock.json create mode 100644 charts/helm-gitea/package.json create mode 100644 charts/helm-gitea/renovate.json5 create mode 100644 charts/helm-gitea/scripts/act_runner/token.sh create mode 100644 charts/helm-gitea/scripts/init-containers/config/config_environment.sh create mode 100644 charts/helm-gitea/scripts/init-containers/init/configure_gpg_environment.sh create mode 100644 charts/helm-gitea/templates/NOTES.txt create mode 100644 charts/helm-gitea/templates/_helpers.tpl create mode 100644 charts/helm-gitea/templates/gitea/check-actions-not-present.yaml create mode 100644 charts/helm-gitea/templates/gitea/config.yaml create mode 100644 charts/helm-gitea/templates/gitea/deployment.yaml create mode 100644 charts/helm-gitea/templates/gitea/deprecation.yaml create mode 100644 charts/helm-gitea/templates/gitea/extra-list.yaml create mode 100644 charts/helm-gitea/templates/gitea/gpg-secret.yaml create mode 100644 charts/helm-gitea/templates/gitea/http-svc.yaml create mode 100644 charts/helm-gitea/templates/gitea/ingress.yaml create mode 100644 charts/helm-gitea/templates/gitea/init.yaml create mode 100644 charts/helm-gitea/templates/gitea/metrics-secret.yaml create mode 100644 charts/helm-gitea/templates/gitea/poddisruptionbudget.yaml create mode 100644 charts/helm-gitea/templates/gitea/pvc.yaml create mode 100644 charts/helm-gitea/templates/gitea/serviceaccount.yaml create mode 100644 charts/helm-gitea/templates/gitea/servicemonitor.yaml create mode 100644 charts/helm-gitea/templates/gitea/ssh-svc.yaml create mode 100644 charts/helm-gitea/templates/tests/test-http-connection.yaml create mode 100644 charts/helm-gitea/unittests/bash/test_helper/common-setup.bash create mode 100644 charts/helm-gitea/unittests/bash/tests/init-containers/config/config_environment.bats create mode 100644 charts/helm-gitea/unittests/helm/check-actions-not-present.yaml create mode 100644 charts/helm-gitea/unittests/helm/config/actions-config.yaml create mode 100644 charts/helm-gitea/unittests/helm/config/cache-config.yaml create mode 100644 charts/helm-gitea/unittests/helm/config/metrics-section_metrics-token.yaml create mode 100644 charts/helm-gitea/unittests/helm/config/queue-config.yaml create mode 100644 charts/helm-gitea/unittests/helm/config/server-section_domain.yaml create mode 100644 charts/helm-gitea/unittests/helm/config/session-config.yaml create mode 100644 charts/helm-gitea/unittests/helm/dependency-checks/customization-integrity-postgresql-ha.yaml create mode 100644 charts/helm-gitea/unittests/helm/dependency-checks/customization-integrity-postgresql.yaml create mode 100644 charts/helm-gitea/unittests/helm/dependency-checks/customization-integrity-valkey-cluster.yaml create mode 100644 charts/helm-gitea/unittests/helm/dependency-checks/customization-integrity-valkey.yaml create mode 100644 charts/helm-gitea/unittests/helm/dependency-checks/major-image-bump.yaml create mode 100644 charts/helm-gitea/unittests/helm/deployment/HA.yaml create mode 100644 charts/helm-gitea/unittests/helm/deployment/basic.yaml create mode 100644 charts/helm-gitea/unittests/helm/deployment/deployment-additional-config.yaml create mode 100644 charts/helm-gitea/unittests/helm/deployment/image-configuration.yaml create mode 100644 charts/helm-gitea/unittests/helm/deployment/ingress-configuration.yaml create mode 100644 charts/helm-gitea/unittests/helm/deployment/inline-config.yaml create mode 100644 charts/helm-gitea/unittests/helm/deployment/probes.yaml create mode 100644 charts/helm-gitea/unittests/helm/deployment/sidecar-container.yaml create mode 100644 charts/helm-gitea/unittests/helm/deployment/signing-disabled.yaml create mode 100644 charts/helm-gitea/unittests/helm/deployment/signing-enabled.yaml create mode 100644 charts/helm-gitea/unittests/helm/deployment/ssh-configuration.yaml create mode 100644 charts/helm-gitea/unittests/helm/deployment/storage-class-configuration.yaml create mode 100644 charts/helm-gitea/unittests/helm/deployment/svc-configuration.yaml create mode 100644 charts/helm-gitea/unittests/helm/gpg-secret/signing-disabled.yaml create mode 100644 charts/helm-gitea/unittests/helm/gpg-secret/signing-enabled.yaml create mode 100644 charts/helm-gitea/unittests/helm/ingress/basic.yaml create mode 100644 charts/helm-gitea/unittests/helm/ingress/implicit-defaults.yaml create mode 100644 charts/helm-gitea/unittests/helm/ingress/ingress.tpl.yaml create mode 100644 charts/helm-gitea/unittests/helm/ingress/structured-paths.yaml create mode 100644 charts/helm-gitea/unittests/helm/init/basic.yaml create mode 100644 charts/helm-gitea/unittests/helm/init/init_directory_structure.sh-rootless.yaml create mode 100644 charts/helm-gitea/unittests/helm/init/init_directory_structure.sh.yaml create mode 100644 charts/helm-gitea/unittests/helm/metric-secret/metrics-secret-servicemonitor-disabled.yaml create mode 100644 charts/helm-gitea/unittests/helm/metric-secret/metrics-secret-servicemonitor-enabled.yaml create mode 100644 charts/helm-gitea/unittests/helm/pvc/pvc-configuration.yaml create mode 100644 charts/helm-gitea/unittests/helm/serviceaccount/basic.yaml create mode 100644 charts/helm-gitea/unittests/helm/serviceaccount/reference.yaml create mode 100644 charts/helm-gitea/unittests/helm/servicemonitor/basic.yaml create mode 100644 charts/helm-gitea/unittests/helm/servicemonitor/servicemonitor-disabled.yaml create mode 100644 charts/helm-gitea/unittests/helm/servicemonitor/servicemonitor-enabled.yaml create mode 100644 charts/helm-gitea/unittests/helm/values-conflicting-checks.yaml create mode 100644 charts/helm-gitea/values.yaml delete mode 100644 manifests/gitea-bitnami/values.yaml create mode 100644 manifests/gitea/values.yaml diff --git a/argocd-apps/gitea-bitnami.yaml b/argocd-apps/gitea.yaml similarity index 78% rename from argocd-apps/gitea-bitnami.yaml rename to argocd-apps/gitea.yaml index cc6bea2..6d4878a 100644 --- a/argocd-apps/gitea-bitnami.yaml +++ b/argocd-apps/gitea.yaml @@ -1,17 +1,17 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: gitea-bitnami + name: gitea namespace: argocd spec: project: dev-tools source: repoURL: 'https://git.dvirlabs.com/dvirlabs/dev-tools.git' targetRevision: HEAD - path: charts/gitea-bitnami + path: charts/helm-gitea helm: valueFiles: - - ../../manifests/gitea-bitnami/values.yaml + - ../../manifests/gitea/values.yaml destination: server: https://kubernetes.default.svc namespace: dev-tools diff --git a/charts/gitea-bitnami/.helmignore b/charts/gitea-bitnami/.helmignore deleted file mode 100644 index 207983f..0000000 --- a/charts/gitea-bitnami/.helmignore +++ /dev/null @@ -1,25 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -# img folder -img/ -# Changelog -CHANGELOG.md diff --git a/charts/gitea-bitnami/Chart.lock b/charts/gitea-bitnami/Chart.lock deleted file mode 100644 index ed25434..0000000 --- a/charts/gitea-bitnami/Chart.lock +++ /dev/null @@ -1,9 +0,0 @@ -dependencies: -- name: postgresql - repository: oci://registry-1.docker.io/bitnamicharts - version: 16.6.2 -- name: common - repository: oci://registry-1.docker.io/bitnamicharts - version: 2.30.0 -digest: sha256:a108f4f731776ab92491934ecb771e39820d9ba893d532f6d2207f5af9d05014 -generated: "2025-04-07T20:17:42.095704337Z" diff --git a/charts/gitea-bitnami/Chart.yaml b/charts/gitea-bitnami/Chart.yaml deleted file mode 100644 index c80b17c..0000000 --- a/charts/gitea-bitnami/Chart.yaml +++ /dev/null @@ -1,39 +0,0 @@ -annotations: - category: Analytics - images: | - - name: gitea - image: docker.io/bitnami/gitea:1.23.7-debian-12-r0 - - name: os-shell - image: docker.io/bitnami/os-shell:12-debian-12-r42 - licenses: Apache-2.0 - tanzuCategory: application -apiVersion: v2 -appVersion: 1.23.7 -dependencies: -- condition: postgresql.enabled - name: postgresql - repository: oci://registry-1.docker.io/bitnamicharts - version: 16.x.x -- name: common - repository: oci://registry-1.docker.io/bitnamicharts - tags: - - bitnami-common - version: 2.x.x -description: Gitea is a lightweight code hosting solution. Written in Go, features - low resource consumption, easy upgrades and multiple databases. -home: https://bitnami.com -icon: https://dyltqmyl993wv.cloudfront.net/assets/stacks/gitea/img/gitea-stack-220x234.png -keywords: -- gitea -- analytics -- http -- web -- application -- php -maintainers: -- name: Broadcom, Inc. All Rights Reserved. - url: https://github.com/bitnami/charts -name: gitea -sources: -- https://github.com/bitnami/charts/tree/main/bitnami/gitea -version: 3.2.3 diff --git a/charts/gitea-bitnami/README.md b/charts/gitea-bitnami/README.md deleted file mode 100644 index 13ecf8d..0000000 --- a/charts/gitea-bitnami/README.md +++ /dev/null @@ -1,418 +0,0 @@ - - -# Bitnami package for Gitea - -Gitea is a lightweight code hosting solution. Written in Go, features low resource consumption, easy upgrades and multiple databases. - -[Overview of Gitea](https://gitea.io/) - -Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement. - -## TL;DR - -```console -helm install my-release oci://registry-1.docker.io/bitnamicharts/gitea -``` - -Looking to use Gitea in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog. - -## Introduction - -This chart bootstraps a [Gitea](https://github.com/bitnami/containers/tree/main/bitnami/gitea) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. - -It also packages the [Bitnami PostgreSQL chart](https://github.com/bitnami/charts/tree/main/bitnami/postgresql) which is required for bootstrapping a PostgreSQL deployment as a database for the Gitea application. - -Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. - -## Prerequisites - -- Kubernetes 1.23+ -- Helm 3.8.0+ -- PV provisioner support in the underlying infrastructure - -## Installing the Chart - -To install the chart with the release name `my-release`: - -```console -helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/gitea -``` - -> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. - -The command deploys Gitea on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. - -> **Tip**: List all releases using `helm list` - -## Configuration and installation details - -### Resource requests and limits - -Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. - -To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcesPreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). - -### [Rolling VS Immutable tags](https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-understand-rolling-tags-containers-index.html) - -It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. - -Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. - -### Image - -The `image` parameter allows specifying which image will be pulled for the chart. - -#### Private registry - -If you configure the `image` value to one in a private registry, you will need to [specify an image pull secret](https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod). - -1. Manually create image pull secret(s) in the namespace. See [this YAML example reference](https://kubernetes.io/docs/concepts/containers/images/#creating-a-secret-with-a-docker-config). Consult your image registry's documentation about getting the appropriate secret. -2. Note that the `imagePullSecrets` configuration value cannot currently be passed to helm using the `--set` parameter, so you must supply these using a `values.yaml` file, such as: - - ```yaml - imagePullSecrets: - - name: SECRET_NAME - ``` - -3. Install the chart - -### Update credentials - -Bitnami charts configure credentials at first boot. Any further change in the secrets or credentials require manual intervention. Follow these instructions: - -- Update the user password following [the upstream documentation](https://docs.gitea.com/administration/command-line#admin) -- Update the password secret with the new values (replace the SECRET_NAME, PASSWORD and SMTP_PASSWORD placeholders) - -```shell -kubectl create secret generic SECRET_NAME --from-literal=admin-password=PASSWORD --from-literal=smtp-password=SMTP_PASSWORD --dry-run -o yaml | kubectl apply -f - -``` - -### Setting Pod's affinity - -This chart allows you to set your custom affinity using the `affinity` parameter. Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). - -As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters. - -### Backup and restore - -To back up and restore Helm chart deployments on Kubernetes, you need to back up the persistent volumes from the source deployment and attach them to a new deployment using [Velero](https://velero.io/), a Kubernetes backup/restore tool. Find the instructions for using Velero in [this guide](https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-backup-restore-deployments-velero-index.html). - -## Persistence - -The [Bitnami Gitea](https://github.com/bitnami/containers/tree/main/bitnami/gitea) image stores the Gitea data and configurations at the `/bitnami/gitea` path of the container. - -Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. -See the [Parameters](#parameters) section to configure the PVC or to disable persistence. - -### Existing PersistentVolumeClaim - -1. Create the PersistentVolume -2. Create the PersistentVolumeClaim -3. Install the chart - -```console -helm install my-release --set persistence.existingClaim=PVC_NAME oci://REGISTRY_NAME/REPOSITORY_NAME/gitea -``` - -> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. - -### Host path - -#### System compatibility - -- The local filesystem accessibility to a container in a pod with `hostPath` has been tested on OSX/MacOS with xhyve, and Linux with VirtualBox. -- Windows has not been tested with the supported VM drivers. Minikube does however officially support [Mounting Host Folders](https://minikube.sigs.k8s.io/docs/handbook/mount/) per pod. Or you may manually sync your container whenever host files are changed with tools like [docker-sync](https://github.com/EugenMayer/docker-sync) or [docker-bg-sync](https://github.com/cweagans/docker-bg-sync). - -#### Mounting steps - -1. The specified `hostPath` directory must already exist (create one if it does not). -2. Install the chart - - ```console - helm install my-release --set persistence.hostPath=/PATH/TO/HOST/MOUNT oci://REGISTRY_NAME/REPOSITORY_NAME/gitea - ``` - - > Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. - - This will mount the `gitea-data` volume into the `hostPath` directory. The site data will be persisted if the mount path contains valid data, else the site data will be initialized at first launch. -3. Because the container cannot control the host machine's directory permissions, you must set the Gitea file directory permissions yourself - -## Parameters - -### Global parameters - -| Name | Description | Value | -| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` | -| `global.storageClass` | DEPRECATED: use global.defaultStorageClass instead | `""` | -| `global.security.allowInsecureImages` | Allows skipping image verification | `false` | -| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | - -### Common parameters - -| Name | Description | Value | -| ------------------- | --------------------------------------------------------------------------------------------------------- | ------ | -| `kubeVersion` | Force target Kubernetes version (using Helm capabilities if not set) | `""` | -| `nameOverride` | String to partially override gitea.fullname template (will maintain the release name) | `""` | -| `fullnameOverride` | String to fully override gitea.fullname template | `""` | -| `namespaceOverride` | String to fully override common.names.namespace | `""` | -| `commonAnnotations` | Common annotations to add to all Gitea resources (sub-charts are not considered). Evaluated as a template | `{}` | -| `commonLabels` | Common labels to add to all Gitea resources (sub-charts are not considered). Evaluated as a template | `{}` | -| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template). | `[]` | -| `usePasswordFiles` | Mount credentials as files instead of using environment variables | `true` | - -### Gitea parameters - -| Name | Description | Value | -| --------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | -| `image.registry` | Gitea image registry | `REGISTRY_NAME` | -| `image.repository` | Gitea Image name | `REPOSITORY_NAME/gitea` | -| `image.digest` | Gitea image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `image.pullPolicy` | Gitea image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `image.debug` | Specify if debug logs should be enabled | `false` | -| `adminUsername` | User of the application | `bn_user` | -| `adminPassword` | Application password | `""` | -| `adminEmail` | Admin email | `user@example.com` | -| `appName` | Gitea application name | `example` | -| `runMode` | Gitea application host | `prod` | -| `exposeSSH` | Make the SSH server accesible | `true` | -| `rootURL` | UI Root URL (for link generation) | `""` | -| `command` | Override default container command (useful when using custom images) | `[]` | -| `args` | Override default container args (useful when using custom images) | `[]` | -| `updateStrategy.type` | Update strategy - only really applicable for deployments with RWO PVs attached | `RollingUpdate` | -| `priorityClassName` | Gitea pods' priorityClassName | `""` | -| `schedulerName` | Name of the k8s scheduler (other than default) | `""` | -| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | -| `automountServiceAccountToken` | Mount Service Account token in pod | `false` | -| `hostAliases` | Add deployment host aliases | `[]` | -| `extraEnvVars` | Extra environment variables | `[]` | -| `extraEnvVarsCM` | ConfigMap containing extra env vars | `""` | -| `extraEnvVarsSecret` | Secret containing extra env vars (in case of sensitive data) | `""` | -| `extraVolumes` | Array of extra volumes to be added to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | `[]` | -| `extraVolumeMounts` | Array of extra volume mounts to be added to the container (evaluated as template). Normally used with `extraVolumes`. | `[]` | -| `initContainers` | Add additional init containers to the pod (evaluated as a template) | `[]` | -| `pdb.create` | Enable/disable a Pod Disruption Budget creation | `true` | -| `pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `""` | -| `pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty. | `""` | -| `sidecars` | Attach additional containers to the pod (evaluated as a template) | `[]` | -| `tolerations` | Tolerations for pod assignment | `[]` | -| `existingSecret` | Name of a secret with the application password | `""` | -| `existingSecretKey` | Key inside the existing secret containing the password | `admin-password` | -| `smtpHost` | SMTP host | `""` | -| `smtpPort` | SMTP port | `""` | -| `smtpUser` | SMTP user | `""` | -| `smtpPassword` | SMTP password | `""` | -| `smtpExistingSecret` | The name of an existing secret with SMTP credentials | `""` | -| `containerPorts` | Container ports | `{}` | -| `extraContainerPorts` | Optionally specify extra list of additional ports for Gitea container(s) | `[]` | -| `openid.enableSignIn` | Enable sign in with OpenID | `false` | -| `openid.enableSignUp` | Enable sign up with OpenID | `false` | -| `persistence.enabled` | Enable persistence using PVC | `true` | -| `persistence.storageClass` | PVC Storage Class for Gitea volume | `""` | -| `persistence.accessModes` | PVC Access Mode for Gitea volume | `["ReadWriteOnce"]` | -| `persistence.size` | PVC Storage Request for Gitea volume | `8Gi` | -| `persistence.dataSource` | Custom PVC data source | `{}` | -| `persistence.existingClaim` | A manually managed Persistent Volume Claim | `""` | -| `persistence.hostPath` | If defined, the gitea-data volume will mount to the specified hostPath. | `""` | -| `persistence.annotations` | Persistent Volume Claim annotations | `{}` | -| `persistence.selector` | Selector to match an existing Persistent Volume for Gitea data PVC | `{}` | -| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `nodeAffinityPreset.key` | Node label key to match Ignored if `affinity` is set. | `""` | -| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | -| `affinity` | Affinity for pod assignment | `{}` | -| `nodeSelector` | Node labels for pod assignment. Evaluated as a template. | `{}` | -| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `micro` | -| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `podSecurityContext.enabled` | Enable Gitea pods' Security Context | `true` | -| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `podSecurityContext.fsGroup` | Gitea pods' group ID | `1001` | -| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | -| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | -| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | -| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | -| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | -| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | -| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `startupProbe.enabled` | Enable startupProbe | `false` | -| `startupProbe.path` | Request path for startupProbe | `/` | -| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `600` | -| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `5` | -| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `livenessProbe.enabled` | Enable livenessProbe | `true` | -| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `600` | -| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | -| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `readinessProbe.enabled` | Enable readinessProbe | `true` | -| `readinessProbe.path` | Request path for readinessProbe | `/` | -| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | -| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | -| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `5` | -| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `customStartupProbe` | Override default startup probe | `{}` | -| `customLivenessProbe` | Override default liveness probe | `{}` | -| `customReadinessProbe` | Override default readiness probe | `{}` | -| `lifecycleHooks` | LifecycleHook to set additional configuration at startup Evaluated as a template | `{}` | -| `podAnnotations` | Pod annotations | `{}` | -| `podLabels` | Add additional labels to the pod (evaluated as a template) | `{}` | - -### Traffic Exposure Parameters - -| Name | Description | Value | -| --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | -| `service.type` | Kubernetes Service type | `LoadBalancer` | -| `service.ports.http` | Service HTTP port | `80` | -| `service.ports.ssh` | Service SSH port | `22` | -| `service.loadBalancerSourceRanges` | Restricts access for LoadBalancer (only with `service.type: LoadBalancer`) | `[]` | -| `service.loadBalancerIP` | loadBalancerIP for the Gitea Service (optional, cloud specific) | `""` | -| `service.nodePorts` | Kubernetes node port | `{}` | -| `service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | -| `service.clusterIP` | Gitea service Cluster IP | `""` | -| `service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `service.annotations` | Additional custom annotations for Gitea service | `{}` | -| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | -| `networkPolicy.allowExternal` | Don't require server label for connections | `true` | -| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | -| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | -| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | -| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | -| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | -| `ingress.enabled` | Enable ingress controller resource | `false` | -| `ingress.pathType` | Ingress Path type | `ImplementationSpecific` | -| `ingress.apiVersion` | Override API Version (automatically detected if not set) | `""` | -| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | -| `ingress.hostname` | Default host for the ingress resource | `gitea.local` | -| `ingress.path` | The Path to Gitea. You may need to set this to '/*' in order to use this | `/` | -| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | -| `ingress.tls` | Enable TLS configuration for the hostname defined at ingress.hostname parameter | `false` | -| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | -| `ingress.extraHosts` | The list of additional hostnames to be covered with this ingress record. | `[]` | -| `ingress.extraPaths` | Any additional arbitrary paths that may need to be added to the ingress under the main host. | `[]` | -| `ingress.extraTls` | The tls configuration for additional hostnames to be covered with this ingress record. | `[]` | -| `ingress.secrets` | If you're providing your own certificates, please use this to add the certificates as secrets | `[]` | -| `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | - -### Other Parameters - -| Name | Description | Value | -| --------------------------------------------- | ---------------------------------------------------------------------- | ------- | -| `serviceAccount.create` | Enable creation of ServiceAccount for Gitea pod | `true` | -| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` | -| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | - -### Database parameters - -| Name | Description | Value | -| -------------------------------------------- | ----------------------------------------------------------------------- | --------------- | -| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` | -| `postgresql.auth.username` | Name for a custom user to create | `bn_gitea` | -| `postgresql.auth.password` | Password for the custom user to create | `""` | -| `postgresql.auth.database` | Name for a custom database to create | `bitnami_gitea` | -| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` | -| `postgresql.architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` | -| `postgresql.service.ports.postgresql` | PostgreSQL service port | `5432` | -| `externalDatabase.host` | Database host | `""` | -| `externalDatabase.port` | Database port number | `5432` | -| `externalDatabase.user` | Non-root username for JupyterHub | `postgres` | -| `externalDatabase.password` | Password for the non-root username for JupyterHub | `""` | -| `externalDatabase.database` | JupyterHub database name | `gitea` | -| `externalDatabase.existingSecret` | Name of an existing secret resource containing the database credentials | `""` | -| `externalDatabase.existingSecretPasswordKey` | Name of an existing secret key containing the database credentials | `db-password` | - -### Volume Permissions parameters - -| Name | Description | Value | -| ------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | -| `volumePermissions.enabled` | Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work) | `false` | -| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | -| `volumePermissions.image.repository` | Init container volume-permissions image name | `REPOSITORY_NAME/os-shell` | -| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | -| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` | -| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | - -Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, - -```console -helm install my-release \ - --set adminUsername=user,giteaPassword=password,postgresql.auth.rootPassword=secretpassword \ - oci://REGISTRY_NAME/REPOSITORY_NAME/gitea -``` - -> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. - -The above command sets the Gitea administrator account username and password to `user` and `password` respectively. Additionally, it sets the PostgreSQL `root` user password to `secretpassword`. - -> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. - -Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, - -```console -helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/gitea -``` - -> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. -> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/gitea/values.yaml) - -## Troubleshooting - -Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). - -## Upgrading - -### To 3.1.0 - -This version introduces image verification for security purposes. To disable it, set `global.security.allowInsecureImages` to `true`. More details at [GitHub issue](https://github.com/bitnami/charts/issues/30850). - -### To 3.0.0 - -This major updates the PostgreSQL subchart to its newest major, 16.0.0, which uses PostgreSQL 17.x. Follow the [official instructions](https://www.postgresql.org/docs/17/upgrading.html) to upgrade to 17.x. - -### To 2.0.0 - -This major bump changes the following security defaults: - -- `runAsGroup` is changed from `0` to `1001` -- `readOnlyRootFilesystem` is set to `true` -- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). -- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. - -This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. - -### To 1.0.0 - -This major updates the PostgreSQL subchart to its newest major, 13.0.0. [Here](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#to-1300) you can find more information about the changes introduced in that version. - -## License - -Copyright © 2025 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. \ No newline at end of file diff --git a/charts/gitea-bitnami/charts/common/Chart.yaml b/charts/gitea-bitnami/charts/common/Chart.yaml deleted file mode 100644 index 10fc86a..0000000 --- a/charts/gitea-bitnami/charts/common/Chart.yaml +++ /dev/null @@ -1,23 +0,0 @@ -annotations: - category: Infrastructure - licenses: Apache-2.0 -apiVersion: v2 -appVersion: 2.30.0 -description: A Library Helm Chart for grouping common logic between bitnami charts. - This chart is not deployable by itself. -home: https://bitnami.com -icon: https://dyltqmyl993wv.cloudfront.net/downloads/logos/bitnami-mark.png -keywords: -- common -- helper -- template -- function -- bitnami -maintainers: -- name: Broadcom, Inc. All Rights Reserved. - url: https://github.com/bitnami/charts -name: common -sources: -- https://github.com/bitnami/charts/tree/main/bitnami/common -type: library -version: 2.30.0 diff --git a/charts/gitea-bitnami/charts/common/README.md b/charts/gitea-bitnami/charts/common/README.md deleted file mode 100644 index 0e5f649..0000000 --- a/charts/gitea-bitnami/charts/common/README.md +++ /dev/null @@ -1,235 +0,0 @@ -# Bitnami Common Library Chart - -A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between Bitnami charts. - -## TL;DR - -```yaml -dependencies: - - name: common - version: 2.x.x - repository: oci://registry-1.docker.io/bitnamicharts -``` - -```console -helm dependency update -``` - -```yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.names.fullname" . }} -data: - myvalue: "Hello World" -``` - -Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog. - -## Introduction - -This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. - -Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. - -## Prerequisites - -- Kubernetes 1.23+ -- Helm 3.8.0+ - -## Parameters - -## Special input schemas - -### ImageRoot - -```yaml -registry: - type: string - description: Docker registry where the image is located - example: docker.io - -repository: - type: string - description: Repository and image name - example: bitnami/nginx - -tag: - type: string - description: image tag - example: 1.16.1-debian-10-r63 - -pullPolicy: - type: string - description: Specify a imagePullPolicy.' - -pullSecrets: - type: array - items: - type: string - description: Optionally specify an array of imagePullSecrets (evaluated as templates). - -debug: - type: boolean - description: Set to true if you would like to see extra information on logs - example: false - -## An instance would be: -# registry: docker.io -# repository: bitnami/nginx -# tag: 1.16.1-debian-10-r63 -# pullPolicy: IfNotPresent -# debug: false -``` - -### Persistence - -```yaml -enabled: - type: boolean - description: Whether enable persistence. - example: true - -storageClass: - type: string - description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning. - example: "-" - -accessMode: - type: string - description: Access mode for the Persistent Volume Storage. - example: ReadWriteOnce - -size: - type: string - description: Size the Persistent Volume Storage. - example: 8Gi - -path: - type: string - description: Path to be persisted. - example: /bitnami - -## An instance would be: -# enabled: true -# storageClass: "-" -# accessMode: ReadWriteOnce -# size: 8Gi -# path: /bitnami -``` - -### ExistingSecret - -```yaml -name: - type: string - description: Name of the existing secret. - example: mySecret -keyMapping: - description: Mapping between the expected key name and the name of the key in the existing secret. - type: object - -## An instance would be: -# name: mySecret -# keyMapping: -# password: myPasswordKey -``` - -#### Example of use - -When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets. - -```yaml -# templates/secret.yaml ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.names.fullname" . }} - labels: - app: {{ include "common.names.fullname" . }} -type: Opaque -data: - password: {{ .Values.password | b64enc | quote }} - -# templates/dpl.yaml ---- -... - env: - - name: PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }} - key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }} -... - -# values.yaml ---- -name: mySecret -keyMapping: - password: myPasswordKey -``` - -### ValidateValue - -#### NOTES.txt - -```console -{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}} -{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}} - -{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} -``` - -If we force those values to be empty we will see some alerts - -```console -helm install test mychart --set path.to.value00="",path.to.value01="" - 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: - - export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 -d) - - 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value: - - export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 -d) -``` - -## Upgrading - -### To 1.0.0 - -[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. - -#### What changes were introduced in this major version? - -- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. -- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. -- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts - -#### Considerations when upgrading to this version - -- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues -- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore -- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 - -#### Useful links - -- -- -- - -## License - -Copyright © 2025 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. diff --git a/charts/gitea-bitnami/charts/common/templates/_affinities.tpl b/charts/gitea-bitnami/charts/common/templates/_affinities.tpl deleted file mode 100644 index d387dbe..0000000 --- a/charts/gitea-bitnami/charts/common/templates/_affinities.tpl +++ /dev/null @@ -1,155 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} - -{{/* -Return a soft nodeAffinity definition -{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} -*/}} -{{- define "common.affinities.nodes.soft" -}} -preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: {{ .key }} - operator: In - values: - {{- range .values }} - - {{ . | quote }} - {{- end }} - weight: 1 -{{- end -}} - -{{/* -Return a hard nodeAffinity definition -{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} -*/}} -{{- define "common.affinities.nodes.hard" -}} -requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: {{ .key }} - operator: In - values: - {{- range .values }} - - {{ . | quote }} - {{- end }} -{{- end -}} - -{{/* -Return a nodeAffinity definition -{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} -*/}} -{{- define "common.affinities.nodes" -}} - {{- if eq .type "soft" }} - {{- include "common.affinities.nodes.soft" . -}} - {{- else if eq .type "hard" }} - {{- include "common.affinities.nodes.hard" . -}} - {{- end -}} -{{- end -}} - -{{/* -Return a topologyKey definition -{{ include "common.affinities.topologyKey" (dict "topologyKey" "BAR") -}} -*/}} -{{- define "common.affinities.topologyKey" -}} -{{ .topologyKey | default "kubernetes.io/hostname" -}} -{{- end -}} - -{{/* -Return a soft podAffinity/podAntiAffinity definition -{{ include "common.affinities.pods.soft" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "extraNamespaces" (list "namespace1" "namespace2") "context" $) -}} -*/}} -{{- define "common.affinities.pods.soft" -}} -{{- $component := default "" .component -}} -{{- $customLabels := default (dict) .customLabels -}} -{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} -{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}} -{{- $extraNamespaces := default (list) .extraNamespaces -}} -preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 10 }} - {{- if not (empty $component) }} - {{ printf "app.kubernetes.io/component: %s" $component }} - {{- end }} - {{- range $key, $value := $extraMatchLabels }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- if $extraNamespaces }} - namespaces: - - {{ .context.Release.Namespace }} - {{- with $extraNamespaces }} - {{ include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }} - {{- end }} - {{- end }} - topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} - weight: 1 - {{- range $extraPodAffinityTerms }} - - podAffinityTerm: - labelSelector: - matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 10 }} - {{- if not (empty $component) }} - {{ printf "app.kubernetes.io/component: %s" $component }} - {{- end }} - {{- range $key, $value := .extraMatchLabels }} - {{ $key }}: {{ $value | quote }} - {{- end }} - topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} - weight: {{ .weight | default 1 -}} - {{- end -}} -{{- end -}} - -{{/* -Return a hard podAffinity/podAntiAffinity definition -{{ include "common.affinities.pods.hard" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "extraNamespaces" (list "namespace1" "namespace2") "context" $) -}} -*/}} -{{- define "common.affinities.pods.hard" -}} -{{- $component := default "" .component -}} -{{- $customLabels := default (dict) .customLabels -}} -{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} -{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}} -{{- $extraNamespaces := default (list) .extraNamespaces -}} -requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 8 }} - {{- if not (empty $component) }} - {{ printf "app.kubernetes.io/component: %s" $component }} - {{- end }} - {{- range $key, $value := $extraMatchLabels }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- if $extraNamespaces }} - namespaces: - - {{ .context.Release.Namespace }} - {{- with $extraNamespaces }} - {{ include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }} - {{- end }} - {{- end }} - topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} - {{- range $extraPodAffinityTerms }} - - labelSelector: - matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 8 }} - {{- if not (empty $component) }} - {{ printf "app.kubernetes.io/component: %s" $component }} - {{- end }} - {{- range $key, $value := .extraMatchLabels }} - {{ $key }}: {{ $value | quote }} - {{- end }} - topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} - {{- end -}} -{{- end -}} - -{{/* -Return a podAffinity/podAntiAffinity definition -{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} -*/}} -{{- define "common.affinities.pods" -}} - {{- if eq .type "soft" }} - {{- include "common.affinities.pods.soft" . -}} - {{- else if eq .type "hard" }} - {{- include "common.affinities.pods.hard" . -}} - {{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/common/templates/_capabilities.tpl b/charts/gitea-bitnami/charts/common/templates/_capabilities.tpl deleted file mode 100644 index 6423fb1..0000000 --- a/charts/gitea-bitnami/charts/common/templates/_capabilities.tpl +++ /dev/null @@ -1,253 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} - -{{/* -Return the target Kubernetes version -*/}} -{{- define "common.capabilities.kubeVersion" -}} -{{- default (default .Capabilities.KubeVersion.Version .Values.kubeVersion) ((.Values.global).kubeVersion) -}} -{{- end -}} - -{{/* -Return true if the apiVersion is supported -Usage: -{{ include "common.capabilities.apiVersions.has" (dict "version" "batch/v1" "context" $) }} -*/}} -{{- define "common.capabilities.apiVersions.has" -}} -{{- $providedAPIVersions := default .context.Values.apiVersions ((.context.Values.global).apiVersions) -}} -{{- if and (empty $providedAPIVersions) (.context.Capabilities.APIVersions.Has .version) -}} - {{- true -}} -{{- else if has .version $providedAPIVersions -}} - {{- true -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for poddisruptionbudget. -*/}} -{{- define "common.capabilities.policy.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}} -{{- print "policy/v1beta1" -}} -{{- else -}} -{{- print "policy/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for networkpolicy. -*/}} -{{- define "common.capabilities.networkPolicy.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.7-0" $kubeVersion) -}} -{{- print "extensions/v1beta1" -}} -{{- else -}} -{{- print "networking.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for job. -*/}} -{{- define "common.capabilities.job.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}} -{{- print "batch/v1beta1" -}} -{{- else -}} -{{- print "batch/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for cronjob. -*/}} -{{- define "common.capabilities.cronjob.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}} -{{- print "batch/v1beta1" -}} -{{- else -}} -{{- print "batch/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for daemonset. -*/}} -{{- define "common.capabilities.daemonset.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} -{{- print "extensions/v1beta1" -}} -{{- else -}} -{{- print "apps/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for deployment. -*/}} -{{- define "common.capabilities.deployment.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} -{{- print "extensions/v1beta1" -}} -{{- else -}} -{{- print "apps/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for statefulset. -*/}} -{{- define "common.capabilities.statefulset.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} -{{- print "apps/v1beta1" -}} -{{- else -}} -{{- print "apps/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for ingress. -*/}} -{{- define "common.capabilities.ingress.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if (.Values.ingress).apiVersion -}} -{{- .Values.ingress.apiVersion -}} -{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} -{{- print "extensions/v1beta1" -}} -{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.19-0" $kubeVersion) -}} -{{- print "networking.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "networking.k8s.io/v1" -}} -{{- end }} -{{- end -}} - -{{/* -Return the appropriate apiVersion for RBAC resources. -*/}} -{{- define "common.capabilities.rbac.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.17-0" $kubeVersion) -}} -{{- print "rbac.authorization.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "rbac.authorization.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for CRDs. -*/}} -{{- define "common.capabilities.crd.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.19-0" $kubeVersion) -}} -{{- print "apiextensions.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "apiextensions.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for APIService. -*/}} -{{- define "common.capabilities.apiService.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.10-0" $kubeVersion) -}} -{{- print "apiregistration.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "apiregistration.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for Horizontal Pod Autoscaler. -*/}} -{{- define "common.capabilities.hpa.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} -{{- if .beta2 -}} -{{- print "autoscaling/v2beta2" -}} -{{- else -}} -{{- print "autoscaling/v2beta1" -}} -{{- end -}} -{{- else -}} -{{- print "autoscaling/v2" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for Vertical Pod Autoscaler. -*/}} -{{- define "common.capabilities.vpa.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.11-0" $kubeVersion) -}} -{{- print "autoscaling/v1beta1" -}} -{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} -{{- print "autoscaling/v1beta2" -}} -{{- else -}} -{{- print "autoscaling/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Returns true if PodSecurityPolicy is supported -*/}} -{{- define "common.capabilities.psp.supported" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if or (empty $kubeVersion) (semverCompare "<1.25-0" $kubeVersion) -}} - {{- true -}} -{{- end -}} -{{- end -}} - -{{/* -Returns true if AdmissionConfiguration is supported -*/}} -{{- define "common.capabilities.admissionConfiguration.supported" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if or (empty $kubeVersion) (not (semverCompare "<1.23-0" $kubeVersion)) -}} - {{- true -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for AdmissionConfiguration. -*/}} -{{- define "common.capabilities.admissionConfiguration.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} -{{- print "apiserver.config.k8s.io/v1alpha1" -}} -{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} -{{- print "apiserver.config.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "apiserver.config.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for PodSecurityConfiguration. -*/}} -{{- define "common.capabilities.podSecurityConfiguration.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} -{{- print "pod-security.admission.config.k8s.io/v1alpha1" -}} -{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} -{{- print "pod-security.admission.config.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "pod-security.admission.config.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Returns true if the used Helm version is 3.3+. -A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. -This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error. -**To be removed when the catalog's minimun Helm version is 3.3** -*/}} -{{- define "common.capabilities.supportsHelmVersion" -}} -{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }} - {{- true -}} -{{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/common/templates/_compatibility.tpl b/charts/gitea-bitnami/charts/common/templates/_compatibility.tpl deleted file mode 100644 index 19c26db..0000000 --- a/charts/gitea-bitnami/charts/common/templates/_compatibility.tpl +++ /dev/null @@ -1,46 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} - -{{/* -Return true if the detected platform is Openshift -Usage: -{{- include "common.compatibility.isOpenshift" . -}} -*/}} -{{- define "common.compatibility.isOpenshift" -}} -{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} -{{- true -}} -{{- end -}} -{{- end -}} - -{{/* -Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC -Usage: -{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}} -*/}} -{{- define "common.compatibility.renderSecurityContext" -}} -{{- $adaptedContext := .secContext -}} - -{{- if (((.context.Values.global).compatibility).openshift) -}} - {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} - {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} - {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} - {{- if not .secContext.seLinuxOptions -}} - {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}} - {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} - {{- end -}} - {{- end -}} -{{- end -}} -{{/* Remove empty seLinuxOptions object if global.compatibility.omitEmptySeLinuxOptions is set to true */}} -{{- if and (((.context.Values.global).compatibility).omitEmptySeLinuxOptions) (not .secContext.seLinuxOptions) -}} - {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} -{{- end -}} -{{/* Remove fields that are disregarded when running the container in privileged mode */}} -{{- if $adaptedContext.privileged -}} - {{- $adaptedContext = omit $adaptedContext "capabilities" -}} -{{- end -}} -{{- omit $adaptedContext "enabled" | toYaml -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/common/templates/_errors.tpl b/charts/gitea-bitnami/charts/common/templates/_errors.tpl deleted file mode 100644 index 93f3ffc..0000000 --- a/charts/gitea-bitnami/charts/common/templates/_errors.tpl +++ /dev/null @@ -1,85 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Throw error when upgrading using empty passwords values that must not be empty. - -Usage: -{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}} -{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}} -{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }} - -Required password params: - - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error. - - context - Context - Required. Parent context. -*/}} -{{- define "common.errors.upgrade.passwords.empty" -}} - {{- $validationErrors := join "" .validationErrors -}} - {{- if and $validationErrors .context.Release.IsUpgrade -}} - {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}} - {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}} - {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}} - {{- $errorString = print $errorString "\n%s" -}} - {{- printf $errorString $validationErrors | fail -}} - {{- end -}} -{{- end -}} - -{{/* -Throw error when original container images are replaced. -The error can be bypassed by setting the "global.security.allowInsecureImages" to true. In this case, -a warning message will be shown instead. - -Usage: -{{ include "common.errors.insecureImages" (dict "images" (list .Values.path.to.the.imageRoot) "context" $) }} -*/}} -{{- define "common.errors.insecureImages" -}} -{{- $relocatedImages := list -}} -{{- $replacedImages := list -}} -{{- $retaggedImages := list -}} -{{- $globalRegistry := ((.context.Values.global).imageRegistry) -}} -{{- $originalImages := .context.Chart.Annotations.images -}} -{{- range .images -}} - {{- $registryName := default .registry $globalRegistry -}} - {{- $fullImageNameNoTag := printf "%s/%s" $registryName .repository -}} - {{- $fullImageName := printf "%s:%s" $fullImageNameNoTag .tag -}} - {{- if not (contains $fullImageNameNoTag $originalImages) -}} - {{- if not (contains $registryName $originalImages) -}} - {{- $relocatedImages = append $relocatedImages $fullImageName -}} - {{- else if not (contains .repository $originalImages) -}} - {{- $replacedImages = append $replacedImages $fullImageName -}} - {{- end -}} - {{- end -}} - {{- if not (contains (printf "%s:%s" .repository .tag) $originalImages) -}} - {{- $retaggedImages = append $retaggedImages $fullImageName -}} - {{- end -}} -{{- end -}} - -{{- if and (or (gt (len $relocatedImages) 0) (gt (len $replacedImages) 0)) (((.context.Values.global).security).allowInsecureImages) -}} - {{- print "\n\n⚠ SECURITY WARNING: Verifying original container images was skipped. Please note this Helm chart was designed, tested, and validated on multiple platforms using a specific set of Bitnami and Tanzu Application Catalog containers. Substituting other containers is likely to cause degraded security and performance, broken chart features, and missing environment variables.\n" -}} -{{- else if (or (gt (len $relocatedImages) 0) (gt (len $replacedImages) 0)) -}} - {{- $errorString := "Original containers have been substituted for unrecognized ones. Deploying this chart with non-standard containers is likely to cause degraded security and performance, broken chart features, and missing environment variables." -}} - {{- $errorString = print $errorString "\n\nUnrecognized images:" -}} - {{- range (concat $relocatedImages $replacedImages) -}} - {{- $errorString = print $errorString "\n - " . -}} - {{- end -}} - {{- if or (contains "docker.io/bitnami/" $originalImages) (contains "docker.io/bitnamiprem/" $originalImages) -}} - {{- $errorString = print "\n\n⚠ ERROR: " $errorString -}} - {{- $errorString = print $errorString "\n\nIf you are sure you want to proceed with non-standard containers, you can skip container image verification by setting the global parameter 'global.security.allowInsecureImages' to true." -}} - {{- $errorString = print $errorString "\nFurther information can be obtained at https://github.com/bitnami/charts/issues/30850" -}} - {{- print $errorString | fail -}} - {{- else if gt (len $replacedImages) 0 -}} - {{- $errorString = print "\n\n⚠ WARNING: " $errorString -}} - {{- print $errorString -}} - {{- end -}} -{{- else if gt (len $retaggedImages) 0 -}} - {{- $warnString := "\n\n⚠ WARNING: Original containers have been retagged. Please note this Helm chart was tested, and validated on multiple platforms using a specific set of Tanzu Application Catalog containers. Substituting original image tags could cause unexpected behavior." -}} - {{- $warnString = print $warnString "\n\nRetagged images:" -}} - {{- range $retaggedImages -}} - {{- $warnString = print $warnString "\n - " . -}} - {{- end -}} - {{- print $warnString -}} -{{- end -}} -{{- end -}} \ No newline at end of file diff --git a/charts/gitea-bitnami/charts/common/templates/_images.tpl b/charts/gitea-bitnami/charts/common/templates/_images.tpl deleted file mode 100644 index 76bb7ce..0000000 --- a/charts/gitea-bitnami/charts/common/templates/_images.tpl +++ /dev/null @@ -1,115 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Return the proper image name. -If image tag and digest are not defined, termination fallbacks to chart appVersion. -{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global "chart" .Chart ) }} -*/}} -{{- define "common.images.image" -}} -{{- $registryName := default .imageRoot.registry ((.global).imageRegistry) -}} -{{- $repositoryName := .imageRoot.repository -}} -{{- $separator := ":" -}} -{{- $termination := .imageRoot.tag | toString -}} - -{{- if not .imageRoot.tag }} - {{- if .chart }} - {{- $termination = .chart.AppVersion | toString -}} - {{- end -}} -{{- end -}} -{{- if .imageRoot.digest }} - {{- $separator = "@" -}} - {{- $termination = .imageRoot.digest | toString -}} -{{- end -}} -{{- if $registryName }} - {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} -{{- else -}} - {{- printf "%s%s%s" $repositoryName $separator $termination -}} -{{- end -}} -{{- end -}} - -{{/* -Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) -{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }} -*/}} -{{- define "common.images.pullSecrets" -}} - {{- $pullSecrets := list }} - - {{- range ((.global).imagePullSecrets) -}} - {{- if kindIs "map" . -}} - {{- $pullSecrets = append $pullSecrets .name -}} - {{- else -}} - {{- $pullSecrets = append $pullSecrets . -}} - {{- end }} - {{- end -}} - - {{- range .images -}} - {{- range .pullSecrets -}} - {{- if kindIs "map" . -}} - {{- $pullSecrets = append $pullSecrets .name -}} - {{- else -}} - {{- $pullSecrets = append $pullSecrets . -}} - {{- end -}} - {{- end -}} - {{- end -}} - - {{- if (not (empty $pullSecrets)) -}} -imagePullSecrets: - {{- range $pullSecrets | uniq }} - - name: {{ . }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Return the proper Docker Image Registry Secret Names evaluating values as templates -{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }} -*/}} -{{- define "common.images.renderPullSecrets" -}} - {{- $pullSecrets := list }} - {{- $context := .context }} - - {{- range (($context.Values.global).imagePullSecrets) -}} - {{- if kindIs "map" . -}} - {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}} - {{- else -}} - {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} - {{- end -}} - {{- end -}} - - {{- range .images -}} - {{- range .pullSecrets -}} - {{- if kindIs "map" . -}} - {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}} - {{- else -}} - {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} - {{- end -}} - {{- end -}} - {{- end -}} - - {{- if (not (empty $pullSecrets)) -}} -imagePullSecrets: - {{- range $pullSecrets | uniq }} - - name: {{ . }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Return the proper image version (ingores image revision/prerelease info & fallbacks to chart appVersion) -{{ include "common.images.version" ( dict "imageRoot" .Values.path.to.the.image "chart" .Chart ) }} -*/}} -{{- define "common.images.version" -}} -{{- $imageTag := .imageRoot.tag | toString -}} -{{/* regexp from https://github.com/Masterminds/semver/blob/23f51de38a0866c5ef0bfc42b3f735c73107b700/version.go#L41-L44 */}} -{{- if regexMatch `^([0-9]+)(\.[0-9]+)?(\.[0-9]+)?(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?$` $imageTag -}} - {{- $version := semver $imageTag -}} - {{- printf "%d.%d.%d" $version.Major $version.Minor $version.Patch -}} -{{- else -}} - {{- print .chart.AppVersion -}} -{{- end -}} -{{- end -}} - diff --git a/charts/gitea-bitnami/charts/common/templates/_ingress.tpl b/charts/gitea-bitnami/charts/common/templates/_ingress.tpl deleted file mode 100644 index 7d2b879..0000000 --- a/charts/gitea-bitnami/charts/common/templates/_ingress.tpl +++ /dev/null @@ -1,73 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} - -{{/* -Generate backend entry that is compatible with all Kubernetes API versions. - -Usage: -{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }} - -Params: - - serviceName - String. Name of an existing service backend - - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer. - - context - Dict - Required. The context for the template evaluation. -*/}} -{{- define "common.ingress.backend" -}} -{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}} -{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}} -serviceName: {{ .serviceName }} -servicePort: {{ .servicePort }} -{{- else -}} -service: - name: {{ .serviceName }} - port: - {{- if typeIs "string" .servicePort }} - name: {{ .servicePort }} - {{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }} - number: {{ .servicePort | int }} - {{- end }} -{{- end -}} -{{- end -}} - -{{/* -Print "true" if the API pathType field is supported -Usage: -{{ include "common.ingress.supportsPathType" . }} -*/}} -{{- define "common.ingress.supportsPathType" -}} -{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}} -{{- print "false" -}} -{{- else -}} -{{- print "true" -}} -{{- end -}} -{{- end -}} - -{{/* -Returns true if the ingressClassname field is supported -Usage: -{{ include "common.ingress.supportsIngressClassname" . }} -*/}} -{{- define "common.ingress.supportsIngressClassname" -}} -{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "false" -}} -{{- else -}} -{{- print "true" -}} -{{- end -}} -{{- end -}} - -{{/* -Return true if cert-manager required annotations for TLS signed -certificates are set in the Ingress annotations -Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations -Usage: -{{ include "common.ingress.certManagerRequest" ( dict "annotations" .Values.path.to.the.ingress.annotations ) }} -*/}} -{{- define "common.ingress.certManagerRequest" -}} -{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") (hasKey .annotations "kubernetes.io/tls-acme") }} - {{- true -}} -{{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/common/templates/_labels.tpl b/charts/gitea-bitnami/charts/common/templates/_labels.tpl deleted file mode 100644 index 0a0cc54..0000000 --- a/charts/gitea-bitnami/charts/common/templates/_labels.tpl +++ /dev/null @@ -1,46 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} - -{{/* -Kubernetes standard labels -{{ include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) -}} -*/}} -{{- define "common.labels.standard" -}} -{{- if and (hasKey . "customLabels") (hasKey . "context") -}} -{{- $default := dict "app.kubernetes.io/name" (include "common.names.name" .context) "helm.sh/chart" (include "common.names.chart" .context) "app.kubernetes.io/instance" .context.Release.Name "app.kubernetes.io/managed-by" .context.Release.Service -}} -{{- with .context.Chart.AppVersion -}} -{{- $_ := set $default "app.kubernetes.io/version" . -}} -{{- end -}} -{{ template "common.tplvalues.merge" (dict "values" (list .customLabels $default) "context" .context) }} -{{- else -}} -app.kubernetes.io/name: {{ include "common.names.name" . }} -helm.sh/chart: {{ include "common.names.chart" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- with .Chart.AppVersion }} -app.kubernetes.io/version: {{ . | quote }} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Labels used on immutable fields such as deploy.spec.selector.matchLabels or svc.spec.selector -{{ include "common.labels.matchLabels" (dict "customLabels" .Values.podLabels "context" $) -}} - -We don't want to loop over custom labels appending them to the selector -since it's very likely that it will break deployments, services, etc. -However, it's important to overwrite the standard labels if the user -overwrote them on metadata.labels fields. -*/}} -{{- define "common.labels.matchLabels" -}} -{{- if and (hasKey . "customLabels") (hasKey . "context") -}} -{{ merge (pick (include "common.tplvalues.render" (dict "value" .customLabels "context" .context) | fromYaml) "app.kubernetes.io/name" "app.kubernetes.io/instance") (dict "app.kubernetes.io/name" (include "common.names.name" .context) "app.kubernetes.io/instance" .context.Release.Name ) | toYaml }} -{{- else -}} -app.kubernetes.io/name: {{ include "common.names.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/common/templates/_names.tpl b/charts/gitea-bitnami/charts/common/templates/_names.tpl deleted file mode 100644 index ba83956..0000000 --- a/charts/gitea-bitnami/charts/common/templates/_names.tpl +++ /dev/null @@ -1,71 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "common.names.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "common.names.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "common.names.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create a default fully qualified dependency name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -Usage: -{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }} -*/}} -{{- define "common.names.dependency.fullname" -}} -{{- if .chartValues.fullnameOverride -}} -{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .chartName .chartValues.nameOverride -}} -{{- if contains $name .context.Release.Name -}} -{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Allow the release namespace to be overridden for multi-namespace deployments in combined charts. -*/}} -{{- define "common.names.namespace" -}} -{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a fully qualified app name adding the installation's namespace. -*/}} -{{- define "common.names.fullname.namespace" -}} -{{- printf "%s-%s" (include "common.names.fullname" .) (include "common.names.namespace" .) | trunc 63 | trimSuffix "-" -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/common/templates/_resources.tpl b/charts/gitea-bitnami/charts/common/templates/_resources.tpl deleted file mode 100644 index d8a43e1..0000000 --- a/charts/gitea-bitnami/charts/common/templates/_resources.tpl +++ /dev/null @@ -1,50 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} - -{{/* -Return a resource request/limit object based on a given preset. -These presets are for basic testing and not meant to be used in production -{{ include "common.resources.preset" (dict "type" "nano") -}} -*/}} -{{- define "common.resources.preset" -}} -{{/* The limits are the requests increased by 50% (except ephemeral-storage and xlarge/2xlarge sizes)*/}} -{{- $presets := dict - "nano" (dict - "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") - "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "2Gi") - ) - "micro" (dict - "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") - "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "2Gi") - ) - "small" (dict - "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") - "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "2Gi") - ) - "medium" (dict - "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") - "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "2Gi") - ) - "large" (dict - "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") - "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "2Gi") - ) - "xlarge" (dict - "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi") - "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "2Gi") - ) - "2xlarge" (dict - "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi") - "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "2Gi") - ) - }} -{{- if hasKey $presets .type -}} -{{- index $presets .type | toYaml -}} -{{- else -}} -{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}} -{{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/common/templates/_secrets.tpl b/charts/gitea-bitnami/charts/common/templates/_secrets.tpl deleted file mode 100644 index bfef469..0000000 --- a/charts/gitea-bitnami/charts/common/templates/_secrets.tpl +++ /dev/null @@ -1,192 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Generate secret name. - -Usage: -{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }} - -Params: - - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user - to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. - +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret - - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment. - - context - Dict - Required. The context for the template evaluation. -*/}} -{{- define "common.secrets.name" -}} -{{- $name := (include "common.names.fullname" .context) -}} - -{{- if .defaultNameSuffix -}} -{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{- with .existingSecret -}} -{{- if not (typeIs "string" .) -}} -{{- with .name -}} -{{- $name = . -}} -{{- end -}} -{{- else -}} -{{- $name = . -}} -{{- end -}} -{{- end -}} - -{{- printf "%s" $name -}} -{{- end -}} - -{{/* -Generate secret key. - -Usage: -{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }} - -Params: - - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user - to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. - +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret - - key - String - Required. Name of the key in the secret. -*/}} -{{- define "common.secrets.key" -}} -{{- $key := .key -}} - -{{- if .existingSecret -}} - {{- if not (typeIs "string" .existingSecret) -}} - {{- if .existingSecret.keyMapping -}} - {{- $key = index .existingSecret.keyMapping $.key -}} - {{- end -}} - {{- end }} -{{- end -}} - -{{- printf "%s" $key -}} -{{- end -}} - -{{/* -Generate secret password or retrieve one if already created. - -Usage: -{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "honorProvidedValues" false "context" $) }} - -Params: - - secret - String - Required - Name of the 'Secret' resource where the password is stored. - - key - String - Required - Name of the key in the secret. - - providedValues - List - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. - - length - int - Optional - Length of the generated random password. - - strong - Boolean - Optional - Whether to add symbols to the generated random password. - - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. - - context - Context - Required - Parent context. - - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. - - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. - - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. - - honorProvidedValues - Boolean - Optional - Default to false. If set to true, the values in providedValues have higher priority than an existing secret -The order in which this function returns a secret password: - 1. Password provided via the values.yaml if honorProvidedValues = true - (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned) - 2. Already existing 'Secret' resource - (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) - 3. Password provided via the values.yaml if honorProvidedValues = false - (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned) - 4. Randomly generated secret password - (A new random secret password with the length specified in the 'length' parameter will be generated and returned) - -*/}} -{{- define "common.secrets.passwords.manage" -}} - -{{- $password := "" }} -{{- $subchart := "" }} -{{- $chartName := default "" .chartName }} -{{- $passwordLength := default 10 .length }} -{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} -{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }} -{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} -{{- if $secretData }} - {{- if hasKey $secretData .key }} - {{- $password = index $secretData .key | b64dec }} - {{- else if not (eq .failOnNew false) }} - {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} - {{- end -}} -{{- end }} - -{{- if and $providedPasswordValue .honorProvidedValues }} - {{- $password = $providedPasswordValue | toString }} -{{- end }} - -{{- if not $password }} - {{- if $providedPasswordValue }} - {{- $password = $providedPasswordValue | toString }} - {{- else }} - {{- if .context.Values.enabled }} - {{- $subchart = $chartName }} - {{- end -}} - - {{- if not (eq .failOnNew false) }} - {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} - {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} - {{- $passwordValidationErrors := list $requiredPasswordError -}} - {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} - {{- end }} - - {{- if .strong }} - {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} - {{- $password = randAscii $passwordLength }} - {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} - {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} - {{- else }} - {{- $password = randAlphaNum $passwordLength }} - {{- end }} - {{- end -}} -{{- end -}} -{{- if not .skipB64enc }} -{{- $password = $password | b64enc }} -{{- end -}} -{{- if .skipQuote -}} -{{- printf "%s" $password -}} -{{- else -}} -{{- printf "%s" $password | quote -}} -{{- end -}} -{{- end -}} - -{{/* -Reuses the value from an existing secret, otherwise sets its value to a default value. - -Usage: -{{ include "common.secrets.lookup" (dict "secret" "secret-name" "key" "keyName" "defaultValue" .Values.myValue "context" $) }} - -Params: - - secret - String - Required - Name of the 'Secret' resource where the password is stored. - - key - String - Required - Name of the key in the secret. - - defaultValue - String - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. - - context - Context - Required - Parent context. - -*/}} -{{- define "common.secrets.lookup" -}} -{{- $value := "" -}} -{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data -}} -{{- if and $secretData (hasKey $secretData .key) -}} - {{- $value = index $secretData .key -}} -{{- else if .defaultValue -}} - {{- $value = .defaultValue | toString | b64enc -}} -{{- end -}} -{{- if $value -}} -{{- printf "%s" $value -}} -{{- end -}} -{{- end -}} - -{{/* -Returns whether a previous generated secret already exists - -Usage: -{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }} - -Params: - - secret - String - Required - Name of the 'Secret' resource where the password is stored. - - context - Context - Required - Parent context. -*/}} -{{- define "common.secrets.exists" -}} -{{- $secret := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret) }} -{{- if $secret }} - {{- true -}} -{{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/common/templates/_storage.tpl b/charts/gitea-bitnami/charts/common/templates/_storage.tpl deleted file mode 100644 index aa75856..0000000 --- a/charts/gitea-bitnami/charts/common/templates/_storage.tpl +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} - -{{/* -Return the proper Storage Class -{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} -*/}} -{{- define "common.storage.class" -}} -{{- $storageClass := (.global).storageClass | default .persistence.storageClass | default (.global).defaultStorageClass | default "" -}} -{{- if $storageClass -}} - {{- if (eq "-" $storageClass) -}} - {{- printf "storageClassName: \"\"" -}} - {{- else -}} - {{- printf "storageClassName: %s" $storageClass -}} - {{- end -}} -{{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/common/templates/_tplvalues.tpl b/charts/gitea-bitnami/charts/common/templates/_tplvalues.tpl deleted file mode 100644 index a04f4c1..0000000 --- a/charts/gitea-bitnami/charts/common/templates/_tplvalues.tpl +++ /dev/null @@ -1,52 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Renders a value that contains template perhaps with scope if the scope is present. -Usage: -{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ ) }} -{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ "scope" $app ) }} -*/}} -{{- define "common.tplvalues.render" -}} -{{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }} -{{- if contains "{{" (toJson .value) }} - {{- if .scope }} - {{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }} - {{- else }} - {{- tpl $value .context }} - {{- end }} -{{- else }} - {{- $value }} -{{- end }} -{{- end -}} - -{{/* -Merge a list of values that contains template after rendering them. -Merge precedence is consistent with http://masterminds.github.io/sprig/dicts.html#merge-mustmerge -Usage: -{{ include "common.tplvalues.merge" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }} -*/}} -{{- define "common.tplvalues.merge" -}} -{{- $dst := dict -}} -{{- range .values -}} -{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | merge $dst -}} -{{- end -}} -{{ $dst | toYaml }} -{{- end -}} - -{{/* -Merge a list of values that contains template after rendering them. -Merge precedence is consistent with https://masterminds.github.io/sprig/dicts.html#mergeoverwrite-mustmergeoverwrite -Usage: -{{ include "common.tplvalues.merge-overwrite" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }} -*/}} -{{- define "common.tplvalues.merge-overwrite" -}} -{{- $dst := dict -}} -{{- range .values -}} -{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | mergeOverwrite $dst -}} -{{- end -}} -{{ $dst | toYaml }} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/common/templates/_utils.tpl b/charts/gitea-bitnami/charts/common/templates/_utils.tpl deleted file mode 100644 index d53c74a..0000000 --- a/charts/gitea-bitnami/charts/common/templates/_utils.tpl +++ /dev/null @@ -1,77 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Print instructions to get a secret value. -Usage: -{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }} -*/}} -{{- define "common.utils.secret.getvalue" -}} -{{- $varname := include "common.utils.fieldToEnvVar" . -}} -export {{ $varname }}=$(kubectl get secret --namespace {{ include "common.names.namespace" .context | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 -d) -{{- end -}} - -{{/* -Build env var name given a field -Usage: -{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }} -*/}} -{{- define "common.utils.fieldToEnvVar" -}} - {{- $fieldNameSplit := splitList "-" .field -}} - {{- $upperCaseFieldNameSplit := list -}} - - {{- range $fieldNameSplit -}} - {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}} - {{- end -}} - - {{ join "_" $upperCaseFieldNameSplit }} -{{- end -}} - -{{/* -Gets a value from .Values given -Usage: -{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }} -*/}} -{{- define "common.utils.getValueFromKey" -}} -{{- $splitKey := splitList "." .key -}} -{{- $value := "" -}} -{{- $latestObj := $.context.Values -}} -{{- range $splitKey -}} - {{- if not $latestObj -}} - {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}} - {{- end -}} - {{- $value = ( index $latestObj . ) -}} - {{- $latestObj = $value -}} -{{- end -}} -{{- printf "%v" (default "" $value) -}} -{{- end -}} - -{{/* -Returns first .Values key with a defined value or first of the list if all non-defined -Usage: -{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }} -*/}} -{{- define "common.utils.getKeyFromList" -}} -{{- $key := first .keys -}} -{{- $reverseKeys := reverse .keys }} -{{- range $reverseKeys }} - {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }} - {{- if $value -}} - {{- $key = . }} - {{- end -}} -{{- end -}} -{{- printf "%s" $key -}} -{{- end -}} - -{{/* -Checksum a template at "path" containing a *single* resource (ConfigMap,Secret) for use in pod annotations, excluding the metadata (see #18376). -Usage: -{{ include "common.utils.checksumTemplate" (dict "path" "/configmap.yaml" "context" $) }} -*/}} -{{- define "common.utils.checksumTemplate" -}} -{{- $obj := include (print .context.Template.BasePath .path) .context | fromYaml -}} -{{ omit $obj "apiVersion" "kind" "metadata" | toYaml | sha256sum }} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/common/templates/_warnings.tpl b/charts/gitea-bitnami/charts/common/templates/_warnings.tpl deleted file mode 100644 index 62c44df..0000000 --- a/charts/gitea-bitnami/charts/common/templates/_warnings.tpl +++ /dev/null @@ -1,109 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Warning about using rolling tag. -Usage: -{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }} -*/}} -{{- define "common.warnings.rollingTag" -}} - -{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} -WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. -+info https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-understand-rolling-tags-containers-index.html -{{- end }} -{{- end -}} - -{{/* -Warning about replaced images from the original. -Usage: -{{ include "common.warnings.modifiedImages" (dict "images" (list .Values.path.to.the.imageRoot) "context" $) }} -*/}} -{{- define "common.warnings.modifiedImages" -}} -{{- $affectedImages := list -}} -{{- $printMessage := false -}} -{{- $originalImages := .context.Chart.Annotations.images -}} -{{- range .images -}} - {{- $fullImageName := printf (printf "%s/%s:%s" .registry .repository .tag) -}} - {{- if not (contains $fullImageName $originalImages) }} - {{- $affectedImages = append $affectedImages (printf "%s/%s:%s" .registry .repository .tag) -}} - {{- $printMessage = true -}} - {{- end -}} -{{- end -}} -{{- if $printMessage }} - -⚠ SECURITY WARNING: Original containers have been substituted. This Helm chart was designed, tested, and validated on multiple platforms using a specific set of Bitnami and Tanzu Application Catalog containers. Substituting other containers is likely to cause degraded security and performance, broken chart features, and missing environment variables. - -Substituted images detected: -{{- range $affectedImages }} - - {{ . }} -{{- end }} -{{- end -}} -{{- end -}} - -{{/* -Warning about not setting the resource object in all deployments. -Usage: -{{ include "common.warnings.resources" (dict "sections" (list "path1" "path2") context $) }} -Example: -{{- include "common.warnings.resources" (dict "sections" (list "csiProvider.provider" "server" "volumePermissions" "") "context" $) }} -The list in the example assumes that the following values exist: - - csiProvider.provider.resources - - server.resources - - volumePermissions.resources - - resources -*/}} -{{- define "common.warnings.resources" -}} -{{- $values := .context.Values -}} -{{- $printMessage := false -}} -{{ $affectedSections := list -}} -{{- range .sections -}} - {{- if eq . "" -}} - {{/* Case where the resources section is at the root (one main deployment in the chart) */}} - {{- if not (index $values "resources") -}} - {{- $affectedSections = append $affectedSections "resources" -}} - {{- $printMessage = true -}} - {{- end -}} - {{- else -}} - {{/* Case where the are multiple resources sections (more than one main deployment in the chart) */}} - {{- $keys := split "." . -}} - {{/* We iterate through the different levels until arriving to the resource section. Example: a.b.c.resources */}} - {{- $section := $values -}} - {{- range $keys -}} - {{- $section = index $section . -}} - {{- end -}} - {{- if not (index $section "resources") -}} - {{/* If the section has enabled=false or replicaCount=0, do not include it */}} - {{- if and (hasKey $section "enabled") -}} - {{- if index $section "enabled" -}} - {{/* enabled=true */}} - {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} - {{- $printMessage = true -}} - {{- end -}} - {{- else if and (hasKey $section "replicaCount") -}} - {{/* We need a casting to int because number 0 is not treated as an int by default */}} - {{- if (gt (index $section "replicaCount" | int) 0) -}} - {{/* replicaCount > 0 */}} - {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} - {{- $printMessage = true -}} - {{- end -}} - {{- else -}} - {{/* Default case, add it to the affected sections */}} - {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} - {{- $printMessage = true -}} - {{- end -}} - {{- end -}} - {{- end -}} -{{- end -}} -{{- if $printMessage }} - -WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs: -{{- range $affectedSections }} - - {{ . }} -{{- end }} -+info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ -{{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/common/templates/validations/_cassandra.tpl b/charts/gitea-bitnami/charts/common/templates/validations/_cassandra.tpl deleted file mode 100644 index f8fd213..0000000 --- a/charts/gitea-bitnami/charts/common/templates/validations/_cassandra.tpl +++ /dev/null @@ -1,51 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Auxiliary function to get the right value for existingSecret. - -Usage: -{{ include "common.cassandra.values.existingSecret" (dict "context" $) }} -Params: - - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false -*/}} -{{- define "common.cassandra.values.existingSecret" -}} - {{- if .subchart -}} - {{- .context.Values.cassandra.dbUser.existingSecret | quote -}} - {{- else -}} - {{- .context.Values.dbUser.existingSecret | quote -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled cassandra. - -Usage: -{{ include "common.cassandra.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.cassandra.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.cassandra.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for the key dbUser - -Usage: -{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false -*/}} -{{- define "common.cassandra.values.key.dbUser" -}} - {{- if .subchart -}} - cassandra.dbUser - {{- else -}} - dbUser - {{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/common/templates/validations/_mariadb.tpl b/charts/gitea-bitnami/charts/common/templates/validations/_mariadb.tpl deleted file mode 100644 index 6ea8c0f..0000000 --- a/charts/gitea-bitnami/charts/common/templates/validations/_mariadb.tpl +++ /dev/null @@ -1,108 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Validate MariaDB required passwords are not empty. - -Usage: -{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret" - - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false -*/}} -{{- define "common.validations.values.mariadb.passwords" -}} - {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}} - {{- $enabled := include "common.mariadb.values.enabled" . -}} - {{- $architecture := include "common.mariadb.values.architecture" . -}} - {{- $authPrefix := include "common.mariadb.values.key.auth" . -}} - {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} - {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} - {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} - {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} - - {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} - - {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} - {{- if not (empty $valueUsername) -}} - {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} - {{- end -}} - - {{- if (eq $architecture "replication") -}} - {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for existingSecret. - -Usage: -{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false -*/}} -{{- define "common.mariadb.values.auth.existingSecret" -}} - {{- if .subchart -}} - {{- .context.Values.mariadb.auth.existingSecret | quote -}} - {{- else -}} - {{- .context.Values.auth.existingSecret | quote -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled mariadb. - -Usage: -{{ include "common.mariadb.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.mariadb.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.mariadb.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for architecture - -Usage: -{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false -*/}} -{{- define "common.mariadb.values.architecture" -}} - {{- if .subchart -}} - {{- .context.Values.mariadb.architecture -}} - {{- else -}} - {{- .context.Values.architecture -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for the key auth - -Usage: -{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false -*/}} -{{- define "common.mariadb.values.key.auth" -}} - {{- if .subchart -}} - mariadb.auth - {{- else -}} - auth - {{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/common/templates/validations/_mongodb.tpl b/charts/gitea-bitnami/charts/common/templates/validations/_mongodb.tpl deleted file mode 100644 index e678a6d..0000000 --- a/charts/gitea-bitnami/charts/common/templates/validations/_mongodb.tpl +++ /dev/null @@ -1,67 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Auxiliary function to get the right value for existingSecret. - -Usage: -{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false -*/}} -{{- define "common.mongodb.values.auth.existingSecret" -}} - {{- if .subchart -}} - {{- .context.Values.mongodb.auth.existingSecret | quote -}} - {{- else -}} - {{- .context.Values.auth.existingSecret | quote -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled mongodb. - -Usage: -{{ include "common.mongodb.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.mongodb.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.mongodb.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for the key auth - -Usage: -{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false -*/}} -{{- define "common.mongodb.values.key.auth" -}} - {{- if .subchart -}} - mongodb.auth - {{- else -}} - auth - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for architecture - -Usage: -{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false -*/}} -{{- define "common.mongodb.values.architecture" -}} - {{- if .subchart -}} - {{- .context.Values.mongodb.architecture -}} - {{- else -}} - {{- .context.Values.architecture -}} - {{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/common/templates/validations/_mysql.tpl b/charts/gitea-bitnami/charts/common/templates/validations/_mysql.tpl deleted file mode 100644 index fbb65c3..0000000 --- a/charts/gitea-bitnami/charts/common/templates/validations/_mysql.tpl +++ /dev/null @@ -1,67 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Auxiliary function to get the right value for existingSecret. - -Usage: -{{ include "common.mysql.values.auth.existingSecret" (dict "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false -*/}} -{{- define "common.mysql.values.auth.existingSecret" -}} - {{- if .subchart -}} - {{- .context.Values.mysql.auth.existingSecret | quote -}} - {{- else -}} - {{- .context.Values.auth.existingSecret | quote -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled mysql. - -Usage: -{{ include "common.mysql.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.mysql.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.mysql.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for architecture - -Usage: -{{ include "common.mysql.values.architecture" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false -*/}} -{{- define "common.mysql.values.architecture" -}} - {{- if .subchart -}} - {{- .context.Values.mysql.architecture -}} - {{- else -}} - {{- .context.Values.architecture -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for the key auth - -Usage: -{{ include "common.mysql.values.key.auth" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false -*/}} -{{- define "common.mysql.values.key.auth" -}} - {{- if .subchart -}} - mysql.auth - {{- else -}} - auth - {{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/common/templates/validations/_postgresql.tpl b/charts/gitea-bitnami/charts/common/templates/validations/_postgresql.tpl deleted file mode 100644 index 51d4716..0000000 --- a/charts/gitea-bitnami/charts/common/templates/validations/_postgresql.tpl +++ /dev/null @@ -1,105 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Auxiliary function to decide whether evaluate global values. - -Usage: -{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }} -Params: - - key - String - Required. Field to be evaluated within global, e.g: "existingSecret" -*/}} -{{- define "common.postgresql.values.use.global" -}} - {{- if .context.Values.global -}} - {{- if .context.Values.global.postgresql -}} - {{- index .context.Values.global.postgresql .key | quote -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for existingSecret. - -Usage: -{{ include "common.postgresql.values.existingSecret" (dict "context" $) }} -*/}} -{{- define "common.postgresql.values.existingSecret" -}} - {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}} - - {{- if .subchart -}} - {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}} - {{- else -}} - {{- default (.context.Values.existingSecret | quote) $globalValue -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled postgresql. - -Usage: -{{ include "common.postgresql.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.postgresql.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.postgresql.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for the key postgressPassword. - -Usage: -{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false -*/}} -{{- define "common.postgresql.values.key.postgressPassword" -}} - {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}} - - {{- if not $globalValue -}} - {{- if .subchart -}} - postgresql.postgresqlPassword - {{- else -}} - postgresqlPassword - {{- end -}} - {{- else -}} - global.postgresql.postgresqlPassword - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled.replication. - -Usage: -{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false -*/}} -{{- define "common.postgresql.values.enabled.replication" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.postgresql.replication.enabled -}} - {{- else -}} - {{- printf "%v" .context.Values.replication.enabled -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for the key replication.password. - -Usage: -{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false -*/}} -{{- define "common.postgresql.values.key.replicationPassword" -}} - {{- if .subchart -}} - postgresql.replication.password - {{- else -}} - replication.password - {{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/common/templates/validations/_redis.tpl b/charts/gitea-bitnami/charts/common/templates/validations/_redis.tpl deleted file mode 100644 index 9fedfef..0000000 --- a/charts/gitea-bitnami/charts/common/templates/validations/_redis.tpl +++ /dev/null @@ -1,48 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - - -{{/* vim: set filetype=mustache: */}} -{{/* -Auxiliary function to get the right value for enabled redis. - -Usage: -{{ include "common.redis.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.redis.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.redis.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right prefix path for the values - -Usage: -{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false -*/}} -{{- define "common.redis.values.keys.prefix" -}} - {{- if .subchart -}}redis.{{- else -}}{{- end -}} -{{- end -}} - -{{/* -Checks whether the redis chart's includes the standarizations (version >= 14) - -Usage: -{{ include "common.redis.values.standarized.version" (dict "context" $) }} -*/}} -{{- define "common.redis.values.standarized.version" -}} - - {{- $standarizedAuth := printf "%s%s" (include "common.redis.values.keys.prefix" .) "auth" -}} - {{- $standarizedAuthValues := include "common.utils.getValueFromKey" (dict "key" $standarizedAuth "context" .context) }} - - {{- if $standarizedAuthValues -}} - {{- true -}} - {{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/common/templates/validations/_validations.tpl b/charts/gitea-bitnami/charts/common/templates/validations/_validations.tpl deleted file mode 100644 index 7cdee61..0000000 --- a/charts/gitea-bitnami/charts/common/templates/validations/_validations.tpl +++ /dev/null @@ -1,51 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Validate values must not be empty. - -Usage: -{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}} -{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}} -{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} - -Validate value params: - - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" - - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" - - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" -*/}} -{{- define "common.validations.values.multiple.empty" -}} - {{- range .required -}} - {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}} - {{- end -}} -{{- end -}} - -{{/* -Validate a value must not be empty. - -Usage: -{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }} - -Validate value params: - - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" - - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" - - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" - - subchart - String - Optional - Name of the subchart that the validated password is part of. -*/}} -{{- define "common.validations.values.single.empty" -}} - {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }} - {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }} - - {{- if not $value -}} - {{- $varname := "my-value" -}} - {{- $getCurrentValue := "" -}} - {{- if and .secret .field -}} - {{- $varname = include "common.utils.fieldToEnvVar" . -}} - {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}} - {{- end -}} - {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}} - {{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/common/values.yaml b/charts/gitea-bitnami/charts/common/values.yaml deleted file mode 100644 index de2cac5..0000000 --- a/charts/gitea-bitnami/charts/common/values.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# Copyright Broadcom, Inc. All Rights Reserved. -# SPDX-License-Identifier: APACHE-2.0 - -## bitnami/common -## It is required by CI/CD tools and processes. -## @skip exampleValue -## -exampleValue: common-chart diff --git a/charts/gitea-bitnami/charts/postgresql/.helmignore b/charts/gitea-bitnami/charts/postgresql/.helmignore deleted file mode 100644 index 207983f..0000000 --- a/charts/gitea-bitnami/charts/postgresql/.helmignore +++ /dev/null @@ -1,25 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -# img folder -img/ -# Changelog -CHANGELOG.md diff --git a/charts/gitea-bitnami/charts/postgresql/Chart.lock b/charts/gitea-bitnami/charts/postgresql/Chart.lock deleted file mode 100644 index 68e3e3e..0000000 --- a/charts/gitea-bitnami/charts/postgresql/Chart.lock +++ /dev/null @@ -1,6 +0,0 @@ -dependencies: -- name: common - repository: oci://registry-1.docker.io/bitnamicharts - version: 2.30.0 -digest: sha256:46afdf79eae69065904d430f03f7e5b79a148afed20aa45ee83ba88adc036169 -generated: "2025-02-20T02:43:09.054508088Z" diff --git a/charts/gitea-bitnami/charts/postgresql/Chart.yaml b/charts/gitea-bitnami/charts/postgresql/Chart.yaml deleted file mode 100644 index ee42411..0000000 --- a/charts/gitea-bitnami/charts/postgresql/Chart.yaml +++ /dev/null @@ -1,38 +0,0 @@ -annotations: - category: Database - images: | - - name: os-shell - image: docker.io/bitnami/os-shell:12-debian-12-r41 - - name: postgres-exporter - image: docker.io/bitnami/postgres-exporter:0.17.1-debian-12-r4 - - name: postgresql - image: docker.io/bitnami/postgresql:17.4.0-debian-12-r14 - licenses: Apache-2.0 - tanzuCategory: service -apiVersion: v2 -appVersion: 17.4.0 -dependencies: -- name: common - repository: oci://registry-1.docker.io/bitnamicharts - tags: - - bitnami-common - version: 2.x.x -description: PostgreSQL (Postgres) is an open source object-relational database known - for reliability and data integrity. ACID-compliant, it supports foreign keys, joins, - views, triggers and stored procedures. -home: https://bitnami.com -icon: https://dyltqmyl993wv.cloudfront.net/assets/stacks/postgresql/img/postgresql-stack-220x234.png -keywords: -- postgresql -- postgres -- database -- sql -- replication -- cluster -maintainers: -- name: Broadcom, Inc. All Rights Reserved. - url: https://github.com/bitnami/charts -name: postgresql -sources: -- https://github.com/bitnami/charts/tree/main/bitnami/postgresql -version: 16.6.2 diff --git a/charts/gitea-bitnami/charts/postgresql/README.md b/charts/gitea-bitnami/charts/postgresql/README.md deleted file mode 100644 index 76dab00..0000000 --- a/charts/gitea-bitnami/charts/postgresql/README.md +++ /dev/null @@ -1,1142 +0,0 @@ - - -# Bitnami package for PostgreSQL - -PostgreSQL (Postgres) is an open source object-relational database known for reliability and data integrity. ACID-compliant, it supports foreign keys, joins, views, triggers and stored procedures. - -[Overview of PostgreSQL](http://www.postgresql.org) - -Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement. - -## TL;DR - -```console -helm install my-release oci://registry-1.docker.io/bitnamicharts/postgresql -``` - -Looking to use PostgreSQL in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog. - -## Introduction - -This chart bootstraps a [PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. - -For HA, please see [this repo](https://github.com/bitnami/charts/tree/main/bitnami/postgresql-ha) - -Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. - -## Prerequisites - -- Kubernetes 1.23+ -- Helm 3.8.0+ -- PV provisioner support in the underlying infrastructure - -## Installing the Chart - -To install the chart with the release name `my-release`: - -```console -helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/postgresql -``` - -> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. - -The command deploys PostgreSQL on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. - -> **Tip**: List all releases using `helm list` - -## Configuration and installation details - -### Resource requests and limits - -Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. - -To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcesPreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). - -### Prometheus metrics - -This chart can be integrated with Prometheus by setting `metrics.enabled` to `true`. This will deploy a sidecar container with [postgres_exporter](https://github.com/prometheus-community/postgres_exporter) in all pods. It will also create `metrics` services that can be configured under the `metrics.service` section. These services will be have the necessary annotations to be automatically scraped by Prometheus. - -#### Prometheus requirements - -It is necessary to have a working installation of Prometheus or Prometheus Operator for the integration to work. Install the [Bitnami Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/prometheus) or the [Bitnami Kube Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/kube-prometheus) to easily have a working Prometheus in your cluster. - -#### Integration with Prometheus Operator - -The chart can deploy `ServiceMonitor` objects for integration with Prometheus Operator installations. To do so, set the value `metrics.serviceMonitor.enabled=true`. Ensure that the Prometheus Operator `CustomResourceDefinitions` are installed in the cluster or it will fail with the following error: - -```text -no matches for kind "ServiceMonitor" in version "monitoring.coreos.com/v1" -``` - -Install the [Bitnami Kube Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/kube-prometheus) for having the necessary CRDs and the Prometheus Operator. - -### [Rolling VS Immutable tags](https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-understand-rolling-tags-containers-index.html) - -It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. - -Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. - -### Customizing primary and read replica services in a replicated configuration - -At the top level, there is a service object which defines the services for both primary and readReplicas. For deeper customization, there are service objects for both the primary and read types individually. This allows you to override the values in the top level service object so that the primary and read can be of different service types and with different clusterIPs / nodePorts. Also in the case you want the primary and read to be of type nodePort, you will need to set the nodePorts to different values to prevent a collision. The values that are deeper in the primary.service or readReplicas.service objects will take precedence over the top level service object. - -### Use a different PostgreSQL version - -To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. - -### LDAP - -LDAP support can be enabled in the chart by specifying the `ldap.` parameters while creating a release. The following parameters should be configured to properly enable the LDAP support in the chart. - -- **ldap.enabled**: Enable LDAP support. Defaults to `false`. -- **ldap.uri**: LDAP URL beginning in the form `ldap[s]://:`. No defaults. -- **ldap.base**: LDAP base DN. No defaults. -- **ldap.binddn**: LDAP bind DN. No defaults. -- **ldap.bindpw**: LDAP bind password. No defaults. -- **ldap.bslookup**: LDAP base lookup. No defaults. -- **ldap.nss_initgroups_ignoreusers**: LDAP ignored users. `root,nslcd`. -- **ldap.scope**: LDAP search scope. No defaults. -- **ldap.tls_reqcert**: LDAP TLS check on server certificates. No defaults. - -For example: - -```text -ldap.enabled="true" -ldap.uri="ldap://my_ldap_server" -ldap.base="dc=example\,dc=org" -ldap.binddn="cn=admin\,dc=example\,dc=org" -ldap.bindpw="admin" -ldap.bslookup="ou=group-ok\,dc=example\,dc=org" -ldap.nss_initgroups_ignoreusers="root\,nslcd" -ldap.scope="sub" -ldap.tls_reqcert="demand" -``` - -Next, login to the PostgreSQL server using the `psql` client and add the PAM authenticated LDAP users. - -> Note: Parameters including commas must be escaped as shown in the above example. - -### Update credentials - -Bitnami charts, with its default settings, configure credentials at first boot. Any further change in the secrets or credentials can be done using one of the following methods: - -### Manual update of the passwords and secrets - -- Update the user password following [the upstream documentation](https://www.postgresql.org/docs/current/sql-alteruser.html) -- Update the password secret with the new values (replace the SECRET_NAME, PASSWORD and POSTGRES_PASSWORD placeholders) - -```shell -kubectl create secret generic SECRET_NAME --from-literal=password=PASSWORD --from-literal=postgres-password=POSTGRES_PASSWORD --dry-run -o yaml | kubectl apply -f - -``` - -### Automated update using a password update job - -The Bitnami PostgreSQL provides a password update job that will automatically change the PostgreSQL passwords when running helm upgrade. To enable the job set `passwordUpdateJob.enabled=true`. This job requires: - -- The new passwords: this is configured using either `auth.postgresPassword`, `auth.password` and `auth.replicationPassword` (if applicable) or setting `auth.existingSecret`. -- The previous passwords: This value is taken automatically from already deployed secret object. If you are using `auth.existingSecret` or `helm template` instead of `helm upgrade`, then set either `passwordUpdate.job.previousPasswords.postgresPassword`, `passwordUpdate.job.previousPasswords.password`, `passwordUpdate.job.previousPasswords.replicationPassword` (when applicable), or setting `passwordUpdateJob,previousPasswords.existingSecret`. - -In the following example we update the password via values.yaml in a PostgreSQL installation with replication - -```yaml -architecture: "replication" - -auth: - user: "user" - postgresPassword: "newPostgresPassword123" - password: "newUserPassword123" - replicationPassword: "newReplicationPassword123" - -passwordUpdateJob: - enabled: true -``` - -In this example we use two existing secrets (`new-password-secret` and `previous-password-secret`) to update the passwords: - -```yaml -auth: - existingSecret: new-password-secret - -passwordUpdateJob: - enabled: true - previousPasswords: - existingSecret: previous-password-secret -``` - -You can add extra update commands using the `passwordUpdateJob.extraCommands` value. - -### postgresql.conf / pg_hba.conf files as configMap - -This helm chart also supports to customize the PostgreSQL configuration file. You can add additional PostgreSQL configuration parameters using the `primary.extendedConfiguration`/`readReplicas.extendedConfiguration` parameters as a string. Alternatively, to replace the entire default configuration use `primary.configuration`. - -You can also add a custom pg_hba.conf using the `primary.pgHbaConfiguration` parameter. - -In addition to these options, you can also set an external ConfigMap with all the configuration files. This is done by setting the `primary.existingConfigmap` parameter. Note that this will override the two previous options. - -### Initialize a fresh instance - -The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, you can specify custom scripts using the `primary.initdb.scripts` parameter as a string. - -In addition, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `primary.initdb.scriptsConfigMap` parameter. Note that this will override the two previous options. If your initialization scripts contain sensitive information such as credentials or passwords, you can use the `primary.initdb.scriptsSecret` parameter. - -The allowed extensions are `.sh`, `.sql` and `.sql.gz`. - -### Securing traffic using TLS - -TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart: - -- `tls.enabled`: Enable TLS support. Defaults to `false` -- `tls.certificatesSecret`: Name of an existing secret that contains the certificates. No defaults. -- `tls.certFilename`: Certificate filename. No defaults. -- `tls.certKeyFilename`: Certificate key filename. No defaults. - -For example: - -- First, create the secret with the cetificates files: - - ```console - kubectl create secret generic certificates-tls-secret --from-file=./cert.crt --from-file=./cert.key --from-file=./ca.crt - ``` - -- Then, use the following parameters: - - ```console - volumePermissions.enabled=true - tls.enabled=true - tls.certificatesSecret="certificates-tls-secret" - tls.certFilename="cert.crt" - tls.certKeyFilename="cert.key" - ``` - - > Note TLS and VolumePermissions: PostgreSQL requires certain permissions on sensitive files (such as certificate keys) to start up. Due to an on-going [issue](https://github.com/kubernetes/kubernetes/issues/57923) regarding kubernetes permissions and the use of `containerSecurityContext.runAsUser`, you must enable `volumePermissions` to ensure everything works as expected. - -### Sidecars - -If you need additional containers to run within the same pod as PostgreSQL (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec. - -```yaml -# For the PostgreSQL primary -primary: - sidecars: - - name: your-image-name - image: your-image - imagePullPolicy: Always - ports: - - name: portname - containerPort: 1234 -# For the PostgreSQL replicas -readReplicas: - sidecars: - - name: your-image-name - image: your-image - imagePullPolicy: Always - ports: - - name: portname - containerPort: 1234 -``` - -### Metrics - -The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml). - -The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details. - -### Use of global variables - -In more complex scenarios, we may have the following tree of dependencies - -```text - +--------------+ - | | - +------------+ Chart 1 +-----------+ - | | | | - | --------+------+ | - | | | - | | | - | | | - | | | - v v v -+-------+------+ +--------+------+ +--------+------+ -| | | | | | -| PostgreSQL | | Sub-chart 1 | | Sub-chart 2 | -| | | | | | -+--------------+ +---------------+ +---------------+ -``` - -The three charts below depend on the parent chart Chart 1. However, subcharts 1 and 2 may need to connect to PostgreSQL as well. In order to do so, subcharts 1 and 2 need to know the PostgreSQL credentials, so one option for deploying could be deploy Chart 1 with the following parameters: - -```text -postgresql.auth.username=testuser -subchart1.postgresql.auth.username=testuser -subchart2.postgresql.auth.username=testuser -postgresql.auth.password=testpass -subchart1.postgresql.auth.password=testpass -subchart2.postgresql.auth.password=testpass -postgresql.auth.database=testdb -subchart1.postgresql.auth.database=testdb -subchart2.postgresql.auth.database=testdb -``` - -If the number of dependent sub-charts increases, installing the chart with parameters can become increasingly difficult. An alternative would be to set the credentials using global variables as follows: - -```text -global.postgresql.auth.username=testuser -global.postgresql.auth.password=testpass -global.postgresql.auth.database=testdb -``` - -This way, the credentials will be available in all of the subcharts. - -### Backup and restore - -To back up and restore Bitnami PostgreSQL Helm chart deployments on Kubernetes, you need to back up the persistent volumes from the source deployment and attach them to a new deployment using [Velero](https://velero.io/), a Kubernetes backup/restore tool. - -These are the steps you will usually follow to back up and restore your PostgreSQL cluster data: - -- Install Velero on the source and destination clusters. -- Use Velero to back up the PersistentVolumes (PVs) used by the deployment on the source cluster. -- Use Velero to restore the backed-up PVs on the destination cluster. -- Create a new deployment on the destination cluster with the same chart, deployment name, credentials and other parameters as the original. This new deployment will use the restored PVs and hence the original data. - -Refer to our detailed [tutorial on backing up and restoring PostgreSQL deployments on Kubernetes](https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-migrate-data-tac-velero-index.html) for more information. - -### NetworkPolicy - -To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. - -For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace: - -```console -kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" -``` - -With NetworkPolicy enabled, traffic will be limited to just port 5432. - -For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL. -This label will be displayed in the output of a successful install. - -### Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image - -- The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image. -- The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift. -- For OpenShift up to 4.10, let set the volume permissions, security context, runAsUser and fsGroup automatically by OpenShift and disable the predefined settings of the helm chart: primary.securityContext.enabled=false,primary.containerSecurityContext.enabled=false,volumePermissions.enabled=false,shmVolume.enabled=false -- For OpenShift 4.11 and higher, let set OpenShift the runAsUser and fsGroup automatically. Configure the pod and container security context to restrictive defaults and disable the volume permissions setup: primary. - podSecurityContext.fsGroup=null,primary.podSecurityContext.seccompProfile.type=RuntimeDefault,primary.containerSecurityContext.runAsUser=null,primary.containerSecurityContext.allowPrivilegeEscalation=false,primary.containerSecurityContext.runAsNonRoot=true,primary.containerSecurityContext.seccompProfile.type=RuntimeDefault,primary.containerSecurityContext.capabilities.drop=['ALL'],volumePermissions.enabled=false,shmVolume.enabled=false - -### Setting Pod's affinity - -This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). - -As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. - -## Persistence - -The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container. - -Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. -See the [Parameters](#parameters) section to configure the PVC or to disable persistence. - -If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to the [code present in the container repository](https://github.com/bitnami/containers/tree/main/bitnami/postgresql). If you need to use those data, please covert them to sql and import after `helm install` finished. - -## Parameters - -### Global parameters - -| Name | Description | Value | -| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` | -| `global.storageClass` | DEPRECATED: use global.defaultStorageClass instead | `""` | -| `global.security.allowInsecureImages` | Allows skipping image verification | `false` | -| `global.postgresql.auth.postgresPassword` | Password for the "postgres" admin user (overrides `auth.postgresPassword`) | `""` | -| `global.postgresql.auth.username` | Name for a custom user to create (overrides `auth.username`) | `""` | -| `global.postgresql.auth.password` | Password for the custom user to create (overrides `auth.password`) | `""` | -| `global.postgresql.auth.database` | Name for a custom database to create (overrides `auth.database`) | `""` | -| `global.postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`). | `""` | -| `global.postgresql.auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | -| `global.postgresql.auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | -| `global.postgresql.auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | -| `global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `""` | -| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | - -### Common parameters - -| Name | Description | Value | -| ------------------------ | -------------------------------------------------------------------------------------------- | --------------- | -| `kubeVersion` | Override Kubernetes version | `""` | -| `nameOverride` | String to partially override common.names.fullname template (will maintain the release name) | `""` | -| `fullnameOverride` | String to fully override common.names.fullname template | `""` | -| `namespaceOverride` | String to fully override common.names.namespace | `""` | -| `clusterDomain` | Kubernetes Cluster Domain | `cluster.local` | -| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template) | `[]` | -| `commonLabels` | Add labels to all the deployed resources | `{}` | -| `commonAnnotations` | Add annotations to all the deployed resources | `{}` | -| `secretAnnotations` | Add annotations to the secrets | `{}` | -| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | -| `diagnosticMode.command` | Command to override all containers in the statefulset | `["sleep"]` | -| `diagnosticMode.args` | Args to override all containers in the statefulset | `["infinity"]` | - -### PostgreSQL common parameters - -| Name | Description | Value | -| ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- | -| `image.registry` | PostgreSQL image registry | `REGISTRY_NAME` | -| `image.repository` | PostgreSQL image repository | `REPOSITORY_NAME/postgresql` | -| `image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `image.pullPolicy` | PostgreSQL image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Specify image pull secrets | `[]` | -| `image.debug` | Specify if debug values should be set | `false` | -| `auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `true` | -| `auth.postgresPassword` | Password for the "postgres" admin user. Ignored if `auth.existingSecret` is provided | `""` | -| `auth.username` | Name for a custom user to create | `""` | -| `auth.password` | Password for the custom user to create. Ignored if `auth.existingSecret` is provided | `""` | -| `auth.database` | Name for a custom database to create | `""` | -| `auth.replicationUsername` | Name of the replication user | `repl_user` | -| `auth.replicationPassword` | Password for the replication user. Ignored if `auth.existingSecret` is provided | `""` | -| `auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials. `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret. The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and picked from this secret in this case. | `""` | -| `auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `postgres-password` | -| `auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `password` | -| `auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `replication-password` | -| `auth.usePasswordFiles` | Mount credentials as a files instead of using an environment variable | `true` | -| `architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` | -| `replication.synchronousCommit` | Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` | `off` | -| `replication.numSynchronousReplicas` | Number of replicas that will have synchronous replication. Note: Cannot be greater than `readReplicas.replicaCount`. | `0` | -| `replication.applicationName` | Cluster application name. Useful for advanced replication settings | `my_application` | -| `containerPorts.postgresql` | PostgreSQL container port | `5432` | -| `audit.logHostname` | Log client hostnames | `false` | -| `audit.logConnections` | Add client log-in operations to the log file | `false` | -| `audit.logDisconnections` | Add client log-outs operations to the log file | `false` | -| `audit.pgAuditLog` | Add operations to log using the pgAudit extension | `""` | -| `audit.pgAuditLogCatalog` | Log catalog using pgAudit | `off` | -| `audit.clientMinMessages` | Message log level to share with the user | `error` | -| `audit.logLinePrefix` | Template for log line prefix (default if not set) | `""` | -| `audit.logTimezone` | Timezone for the log timestamps | `""` | -| `ldap.enabled` | Enable LDAP support | `false` | -| `ldap.server` | IP address or name of the LDAP server. | `""` | -| `ldap.port` | Port number on the LDAP server to connect to | `""` | -| `ldap.prefix` | String to prepend to the user name when forming the DN to bind | `""` | -| `ldap.suffix` | String to append to the user name when forming the DN to bind | `""` | -| `ldap.basedn` | Root DN to begin the search for the user in | `""` | -| `ldap.binddn` | DN of user to bind to LDAP | `""` | -| `ldap.bindpw` | Password for the user to bind to LDAP | `""` | -| `ldap.searchAttribute` | Attribute to match against the user name in the search | `""` | -| `ldap.searchFilter` | The search filter to use when doing search+bind authentication | `""` | -| `ldap.scheme` | Set to `ldaps` to use LDAPS | `""` | -| `ldap.tls.enabled` | Se to true to enable TLS encryption | `false` | -| `ldap.uri` | LDAP URL beginning in the form `ldap[s]://host[:port]/basedn`. If provided, all the other LDAP parameters will be ignored. | `""` | -| `postgresqlDataDir` | PostgreSQL data dir folder | `/bitnami/postgresql/data` | -| `postgresqlSharedPreloadLibraries` | Shared preload libraries (comma-separated list) | `pgaudit` | -| `shmVolume.enabled` | Enable emptyDir volume for /dev/shm for PostgreSQL pod(s) | `true` | -| `shmVolume.sizeLimit` | Set this to enable a size limit on the shm tmpfs | `""` | -| `tls.enabled` | Enable TLS traffic support | `false` | -| `tls.autoGenerated` | Generate automatically self-signed TLS certificates | `false` | -| `tls.preferServerCiphers` | Whether to use the server's TLS cipher preferences rather than the client's | `true` | -| `tls.certificatesSecret` | Name of an existing secret that contains the certificates | `""` | -| `tls.certFilename` | Certificate filename | `""` | -| `tls.certKeyFilename` | Certificate key filename | `""` | -| `tls.certCAFilename` | CA Certificate filename | `""` | -| `tls.crlFilename` | File containing a Certificate Revocation List | `""` | - -### PostgreSQL Primary parameters - -| Name | Description | Value | -| ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- | -| `primary.name` | Name of the primary database (eg primary, master, leader, ...) | `primary` | -| `primary.configuration` | PostgreSQL Primary main configuration to be injected as ConfigMap | `""` | -| `primary.pgHbaConfiguration` | PostgreSQL Primary client authentication configuration | `""` | -| `primary.existingConfigmap` | Name of an existing ConfigMap with PostgreSQL Primary configuration | `""` | -| `primary.extendedConfiguration` | Extended PostgreSQL Primary configuration (appended to main or default configuration) | `""` | -| `primary.existingExtendedConfigmap` | Name of an existing ConfigMap with PostgreSQL Primary extended configuration | `""` | -| `primary.initdb.args` | PostgreSQL initdb extra arguments | `""` | -| `primary.initdb.postgresqlWalDir` | Specify a custom location for the PostgreSQL transaction log | `""` | -| `primary.initdb.scripts` | Dictionary of initdb scripts | `{}` | -| `primary.initdb.scriptsConfigMap` | ConfigMap with scripts to be run at first boot | `""` | -| `primary.initdb.scriptsSecret` | Secret with scripts to be run at first boot (in case it contains sensitive information) | `""` | -| `primary.initdb.user` | Specify the PostgreSQL username to execute the initdb scripts | `""` | -| `primary.initdb.password` | Specify the PostgreSQL password to execute the initdb scripts | `""` | -| `primary.preInitDb.scripts` | Dictionary of pre-init scripts | `{}` | -| `primary.preInitDb.scriptsConfigMap` | ConfigMap with pre-init scripts to be run | `""` | -| `primary.preInitDb.scriptsSecret` | Secret with pre-init scripts to be run | `""` | -| `primary.standby.enabled` | Whether to enable current cluster's primary as standby server of another cluster or not | `false` | -| `primary.standby.primaryHost` | The Host of replication primary in the other cluster | `""` | -| `primary.standby.primaryPort` | The Port of replication primary in the other cluster | `""` | -| `primary.extraEnvVars` | Array with extra environment variables to add to PostgreSQL Primary nodes | `[]` | -| `primary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for PostgreSQL Primary nodes | `""` | -| `primary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for PostgreSQL Primary nodes | `""` | -| `primary.command` | Override default container command (useful when using custom images) | `[]` | -| `primary.args` | Override default container args (useful when using custom images) | `[]` | -| `primary.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL Primary containers | `true` | -| `primary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | -| `primary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `primary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `primary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | -| `primary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `primary.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL Primary containers | `true` | -| `primary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `primary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `primary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | -| `primary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `primary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `primary.startupProbe.enabled` | Enable startupProbe on PostgreSQL Primary containers | `false` | -| `primary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | -| `primary.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `primary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | -| `primary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | -| `primary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `primary.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `primary.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `primary.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `primary.lifecycleHooks` | for the PostgreSQL Primary container to automate configuration before or after startup | `{}` | -| `primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `nano` | -| `primary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `primary.podSecurityContext.enabled` | Enable security context | `true` | -| `primary.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `primary.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `primary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `primary.podSecurityContext.fsGroup` | Group ID for the pod | `1001` | -| `primary.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | -| `primary.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `primary.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | -| `primary.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | -| `primary.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `primary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | -| `primary.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | -| `primary.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | -| `primary.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `primary.automountServiceAccountToken` | Mount Service Account token in pod | `false` | -| `primary.hostAliases` | PostgreSQL primary pods host aliases | `[]` | -| `primary.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (postgresql primary) | `false` | -| `primary.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` | -| `primary.labels` | Map of labels to add to the statefulset (postgresql primary) | `{}` | -| `primary.annotations` | Annotations for PostgreSQL primary pods | `{}` | -| `primary.podLabels` | Map of labels to add to the pods (postgresql primary) | `{}` | -| `primary.podAnnotations` | Map of annotations to add to the pods (postgresql primary) | `{}` | -| `primary.podAffinityPreset` | PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `primary.podAntiAffinityPreset` | PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `primary.nodeAffinityPreset.type` | PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `primary.nodeAffinityPreset.key` | PostgreSQL primary node label key to match Ignored if `primary.affinity` is set. | `""` | -| `primary.nodeAffinityPreset.values` | PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set. | `[]` | -| `primary.affinity` | Affinity for PostgreSQL primary pods assignment | `{}` | -| `primary.nodeSelector` | Node labels for PostgreSQL primary pods assignment | `{}` | -| `primary.tolerations` | Tolerations for PostgreSQL primary pods assignment | `[]` | -| `primary.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | -| `primary.priorityClassName` | Priority Class to use for each pod (postgresql primary) | `""` | -| `primary.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` | -| `primary.terminationGracePeriodSeconds` | Seconds PostgreSQL primary pod needs to terminate gracefully | `""` | -| `primary.updateStrategy.type` | PostgreSQL Primary statefulset strategy type | `RollingUpdate` | -| `primary.updateStrategy.rollingUpdate` | PostgreSQL Primary statefulset rolling update configuration parameters | `{}` | -| `primary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the PostgreSQL Primary container(s) | `[]` | -| `primary.extraVolumes` | Optionally specify extra list of additional volumes for the PostgreSQL Primary pod(s) | `[]` | -| `primary.sidecars` | Add additional sidecar containers to the PostgreSQL Primary pod(s) | `[]` | -| `primary.initContainers` | Add additional init containers to the PostgreSQL Primary pod(s) | `[]` | -| `primary.pdb.create` | Enable/disable a Pod Disruption Budget creation | `true` | -| `primary.pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `""` | -| `primary.pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `primary.pdb.minAvailable` and `primary.pdb.maxUnavailable` are empty. | `""` | -| `primary.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) | `{}` | -| `primary.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | -| `primary.networkPolicy.allowExternal` | Don't require server label for connections | `true` | -| `primary.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | -| `primary.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | -| `primary.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | -| `primary.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | -| `primary.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | -| `primary.service.type` | Kubernetes Service type | `ClusterIP` | -| `primary.service.ports.postgresql` | PostgreSQL service port | `5432` | -| `primary.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` | -| `primary.service.clusterIP` | Static clusterIP or None for headless services | `""` | -| `primary.service.labels` | Map of labels to add to the primary service | `{}` | -| `primary.service.annotations` | Annotations for PostgreSQL primary service | `{}` | -| `primary.service.loadBalancerClass` | Load balancer class if service type is `LoadBalancer` | `""` | -| `primary.service.loadBalancerIP` | Load balancer IP if service type is `LoadBalancer` | `""` | -| `primary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | -| `primary.service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` | -| `primary.service.extraPorts` | Extra ports to expose in the PostgreSQL primary service | `[]` | -| `primary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `primary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `primary.service.headless.annotations` | Additional custom annotations for headless PostgreSQL primary service | `{}` | -| `primary.persistence.enabled` | Enable PostgreSQL Primary data persistence using PVC | `true` | -| `primary.persistence.volumeName` | Name to assign the volume | `data` | -| `primary.persistence.existingClaim` | Name of an existing PVC to use | `""` | -| `primary.persistence.mountPath` | The path the volume will be mounted at | `/bitnami/postgresql` | -| `primary.persistence.subPath` | The subdirectory of the volume to mount to | `""` | -| `primary.persistence.storageClass` | PVC Storage Class for PostgreSQL Primary data volume | `""` | -| `primary.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` | -| `primary.persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` | -| `primary.persistence.annotations` | Annotations for the PVC | `{}` | -| `primary.persistence.labels` | Labels for the PVC | `{}` | -| `primary.persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` | -| `primary.persistence.dataSource` | Custom PVC data source | `{}` | -| `primary.persistentVolumeClaimRetentionPolicy.enabled` | Enable Persistent volume retention policy for Primary Statefulset | `false` | -| `primary.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | -| `primary.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | - -### PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`) - -| Name | Description | Value | -| ---------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- | -| `readReplicas.name` | Name of the read replicas database (eg secondary, slave, ...) | `read` | -| `readReplicas.replicaCount` | Number of PostgreSQL read only replicas | `1` | -| `readReplicas.extendedConfiguration` | Extended PostgreSQL read only replicas configuration (appended to main or default configuration) | `""` | -| `readReplicas.extraEnvVars` | Array with extra environment variables to add to PostgreSQL read only nodes | `[]` | -| `readReplicas.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for PostgreSQL read only nodes | `""` | -| `readReplicas.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for PostgreSQL read only nodes | `""` | -| `readReplicas.command` | Override default container command (useful when using custom images) | `[]` | -| `readReplicas.args` | Override default container args (useful when using custom images) | `[]` | -| `readReplicas.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL read only containers | `true` | -| `readReplicas.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | -| `readReplicas.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `readReplicas.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `readReplicas.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | -| `readReplicas.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `readReplicas.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL read only containers | `true` | -| `readReplicas.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `readReplicas.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `readReplicas.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | -| `readReplicas.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `readReplicas.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `readReplicas.startupProbe.enabled` | Enable startupProbe on PostgreSQL read only containers | `false` | -| `readReplicas.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | -| `readReplicas.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `readReplicas.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | -| `readReplicas.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | -| `readReplicas.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `readReplicas.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `readReplicas.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `readReplicas.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `readReplicas.lifecycleHooks` | for the PostgreSQL read only container to automate configuration before or after startup | `{}` | -| `readReplicas.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if readReplicas.resources is set (readReplicas.resources is recommended for production). | `nano` | -| `readReplicas.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `readReplicas.podSecurityContext.enabled` | Enable security context | `true` | -| `readReplicas.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `readReplicas.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `readReplicas.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `readReplicas.podSecurityContext.fsGroup` | Group ID for the pod | `1001` | -| `readReplicas.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `readReplicas.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | -| `readReplicas.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `readReplicas.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | -| `readReplicas.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | -| `readReplicas.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `readReplicas.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | -| `readReplicas.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | -| `readReplicas.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | -| `readReplicas.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `readReplicas.automountServiceAccountToken` | Mount Service Account token in pod | `false` | -| `readReplicas.hostAliases` | PostgreSQL read only pods host aliases | `[]` | -| `readReplicas.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (PostgreSQL read only) | `false` | -| `readReplicas.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` | -| `readReplicas.labels` | Map of labels to add to the statefulset (PostgreSQL read only) | `{}` | -| `readReplicas.annotations` | Annotations for PostgreSQL read only pods | `{}` | -| `readReplicas.podLabels` | Map of labels to add to the pods (PostgreSQL read only) | `{}` | -| `readReplicas.podAnnotations` | Map of annotations to add to the pods (PostgreSQL read only) | `{}` | -| `readReplicas.podAffinityPreset` | PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `readReplicas.podAntiAffinityPreset` | PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `readReplicas.nodeAffinityPreset.type` | PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `readReplicas.nodeAffinityPreset.key` | PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. | `""` | -| `readReplicas.nodeAffinityPreset.values` | PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. | `[]` | -| `readReplicas.affinity` | Affinity for PostgreSQL read only pods assignment | `{}` | -| `readReplicas.nodeSelector` | Node labels for PostgreSQL read only pods assignment | `{}` | -| `readReplicas.tolerations` | Tolerations for PostgreSQL read only pods assignment | `[]` | -| `readReplicas.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | -| `readReplicas.priorityClassName` | Priority Class to use for each pod (PostgreSQL read only) | `""` | -| `readReplicas.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` | -| `readReplicas.terminationGracePeriodSeconds` | Seconds PostgreSQL read only pod needs to terminate gracefully | `""` | -| `readReplicas.updateStrategy.type` | PostgreSQL read only statefulset strategy type | `RollingUpdate` | -| `readReplicas.updateStrategy.rollingUpdate` | PostgreSQL read only statefulset rolling update configuration parameters | `{}` | -| `readReplicas.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the PostgreSQL read only container(s) | `[]` | -| `readReplicas.extraVolumes` | Optionally specify extra list of additional volumes for the PostgreSQL read only pod(s) | `[]` | -| `readReplicas.sidecars` | Add additional sidecar containers to the PostgreSQL read only pod(s) | `[]` | -| `readReplicas.initContainers` | Add additional init containers to the PostgreSQL read only pod(s) | `[]` | -| `readReplicas.pdb.create` | Enable/disable a Pod Disruption Budget creation | `true` | -| `readReplicas.pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `""` | -| `readReplicas.pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `readReplicas.pdb.minAvailable` and `readReplicas.pdb.maxUnavailable` are empty. | `""` | -| `readReplicas.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL read only pod(s) | `{}` | -| `readReplicas.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | -| `readReplicas.networkPolicy.allowExternal` | Don't require server label for connections | `true` | -| `readReplicas.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | -| `readReplicas.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | -| `readReplicas.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | -| `readReplicas.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | -| `readReplicas.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | -| `readReplicas.service.type` | Kubernetes Service type | `ClusterIP` | -| `readReplicas.service.ports.postgresql` | PostgreSQL service port | `5432` | -| `readReplicas.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` | -| `readReplicas.service.clusterIP` | Static clusterIP or None for headless services | `""` | -| `readReplicas.service.labels` | Map of labels to add to the read service | `{}` | -| `readReplicas.service.annotations` | Annotations for PostgreSQL read only service | `{}` | -| `readReplicas.service.loadBalancerClass` | Load balancer class if service type is `LoadBalancer` | `""` | -| `readReplicas.service.loadBalancerIP` | Load balancer IP if service type is `LoadBalancer` | `""` | -| `readReplicas.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | -| `readReplicas.service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` | -| `readReplicas.service.extraPorts` | Extra ports to expose in the PostgreSQL read only service | `[]` | -| `readReplicas.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `readReplicas.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `readReplicas.service.headless.annotations` | Additional custom annotations for headless PostgreSQL read only service | `{}` | -| `readReplicas.persistence.enabled` | Enable PostgreSQL read only data persistence using PVC | `true` | -| `readReplicas.persistence.existingClaim` | Name of an existing PVC to use | `""` | -| `readReplicas.persistence.mountPath` | The path the volume will be mounted at | `/bitnami/postgresql` | -| `readReplicas.persistence.subPath` | The subdirectory of the volume to mount to | `""` | -| `readReplicas.persistence.storageClass` | PVC Storage Class for PostgreSQL read only data volume | `""` | -| `readReplicas.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` | -| `readReplicas.persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` | -| `readReplicas.persistence.annotations` | Annotations for the PVC | `{}` | -| `readReplicas.persistence.labels` | Labels for the PVC | `{}` | -| `readReplicas.persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` | -| `readReplicas.persistence.dataSource` | Custom PVC data source | `{}` | -| `readReplicas.persistentVolumeClaimRetentionPolicy.enabled` | Enable Persistent volume retention policy for read only Statefulset | `false` | -| `readReplicas.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | -| `readReplicas.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | - -### Backup parameters - -| Name | Description | Value | -| ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `backup.enabled` | Enable the logical dump of the database "regularly" | `false` | -| `backup.cronjob.schedule` | Set the cronjob parameter schedule | `@daily` | -| `backup.cronjob.timeZone` | Set the cronjob parameter timeZone | `""` | -| `backup.cronjob.concurrencyPolicy` | Set the cronjob parameter concurrencyPolicy | `Allow` | -| `backup.cronjob.failedJobsHistoryLimit` | Set the cronjob parameter failedJobsHistoryLimit | `1` | -| `backup.cronjob.successfulJobsHistoryLimit` | Set the cronjob parameter successfulJobsHistoryLimit | `3` | -| `backup.cronjob.startingDeadlineSeconds` | Set the cronjob parameter startingDeadlineSeconds | `""` | -| `backup.cronjob.ttlSecondsAfterFinished` | Set the cronjob parameter ttlSecondsAfterFinished | `""` | -| `backup.cronjob.restartPolicy` | Set the cronjob parameter restartPolicy | `OnFailure` | -| `backup.cronjob.podSecurityContext.enabled` | Enable PodSecurityContext for CronJob/Backup | `true` | -| `backup.cronjob.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `backup.cronjob.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `backup.cronjob.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `backup.cronjob.podSecurityContext.fsGroup` | Group ID for the CronJob | `1001` | -| `backup.cronjob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | -| `backup.cronjob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `backup.cronjob.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | -| `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | -| `backup.cronjob.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | -| `backup.cronjob.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | -| `backup.cronjob.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | -| `backup.cronjob.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `backup.cronjob.command` | Set backup container's command to run | `["/bin/sh","-c","pg_dumpall --clean --if-exists --load-via-partition-root --quote-all-identifiers --no-password --file=${PGDUMP_DIR}/pg_dumpall-$(date '+%Y-%m-%d-%H-%M').pgdump"]` | -| `backup.cronjob.labels` | Set the cronjob labels | `{}` | -| `backup.cronjob.annotations` | Set the cronjob annotations | `{}` | -| `backup.cronjob.nodeSelector` | Node labels for PostgreSQL backup CronJob pod assignment | `{}` | -| `backup.cronjob.tolerations` | Tolerations for PostgreSQL backup CronJob pods assignment | `[]` | -| `backup.cronjob.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if backup.cronjob.resources is set (backup.cronjob.resources is recommended for production). | `nano` | -| `backup.cronjob.resources` | Set container requests and limits for different resources like CPU or memory | `{}` | -| `backup.cronjob.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | -| `backup.cronjob.storage.enabled` | Enable using a `PersistentVolumeClaim` as backup data volume | `true` | -| `backup.cronjob.storage.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `""` | -| `backup.cronjob.storage.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` | -| `backup.cronjob.storage.storageClass` | PVC Storage Class for the backup data volume | `""` | -| `backup.cronjob.storage.accessModes` | PV Access Mode | `["ReadWriteOnce"]` | -| `backup.cronjob.storage.size` | PVC Storage Request for the backup data volume | `8Gi` | -| `backup.cronjob.storage.annotations` | PVC annotations | `{}` | -| `backup.cronjob.storage.mountPath` | Path to mount the volume at | `/backup/pgdump` | -| `backup.cronjob.storage.subPath` | Subdirectory of the volume to mount at | `""` | -| `backup.cronjob.storage.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | -| `backup.cronjob.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the backup container | `[]` | -| `backup.cronjob.extraVolumes` | Optionally specify extra list of additional volumes for the backup container | `[]` | - -### Password update job - -| Name | Description | Value | -| --------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -| `passwordUpdateJob.enabled` | Enable password update job | `false` | -| `passwordUpdateJob.backoffLimit` | set backoff limit of the job | `10` | -| `passwordUpdateJob.command` | Override default container command on mysql Primary container(s) (useful when using custom images) | `[]` | -| `passwordUpdateJob.args` | Override default container args on mysql Primary container(s) (useful when using custom images) | `[]` | -| `passwordUpdateJob.extraCommands` | Extra commands to pass to the generation job | `""` | -| `passwordUpdateJob.previousPasswords.postgresPassword` | Previous postgres password (set if the password secret was already changed) | `""` | -| `passwordUpdateJob.previousPasswords.password` | Previous password (set if the password secret was already changed) | `""` | -| `passwordUpdateJob.previousPasswords.replicationPassword` | Previous replication password (set if the password secret was already changed) | `""` | -| `passwordUpdateJob.previousPasswords.existingSecret` | Name of a secret containing the previous passwords (set if the password secret was already changed) | `""` | -| `passwordUpdateJob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `passwordUpdateJob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | -| `passwordUpdateJob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `passwordUpdateJob.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | -| `passwordUpdateJob.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | -| `passwordUpdateJob.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `passwordUpdateJob.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | -| `passwordUpdateJob.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | -| `passwordUpdateJob.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | -| `passwordUpdateJob.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `passwordUpdateJob.podSecurityContext.enabled` | Enabled credential init job pods' Security Context | `true` | -| `passwordUpdateJob.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `passwordUpdateJob.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `passwordUpdateJob.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `passwordUpdateJob.podSecurityContext.fsGroup` | Set credential init job pod's Security Context fsGroup | `1001` | -| `passwordUpdateJob.extraEnvVars` | Array containing extra env vars to configure the credential init job | `[]` | -| `passwordUpdateJob.extraEnvVarsCM` | ConfigMap containing extra env vars to configure the credential init job | `""` | -| `passwordUpdateJob.extraEnvVarsSecret` | Secret containing extra env vars to configure the credential init job (in case of sensitive data) | `""` | -| `passwordUpdateJob.extraVolumes` | Optionally specify extra list of additional volumes for the credential init job | `[]` | -| `passwordUpdateJob.extraVolumeMounts` | Array of extra volume mounts to be added to the jwt Container (evaluated as template). Normally used with `extraVolumes`. | `[]` | -| `passwordUpdateJob.initContainers` | Add additional init containers for the mysql Primary pod(s) | `[]` | -| `passwordUpdateJob.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if passwordUpdateJob.resources is set (passwordUpdateJob.resources is recommended for production). | `micro` | -| `passwordUpdateJob.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `passwordUpdateJob.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `passwordUpdateJob.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `passwordUpdateJob.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `passwordUpdateJob.automountServiceAccountToken` | Mount Service Account token in pod | `false` | -| `passwordUpdateJob.hostAliases` | Add deployment host aliases | `[]` | -| `passwordUpdateJob.annotations` | Add annotations to the job | `{}` | -| `passwordUpdateJob.podLabels` | Additional pod labels | `{}` | -| `passwordUpdateJob.podAnnotations` | Additional pod annotations | `{}` | - -### Volume Permissions parameters - -| Name | Description | Value | -| ---------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | -| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | -| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | -| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` | -| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | -| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | -| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` | -| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | -| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | -| `volumePermissions.containerSecurityContext.runAsGroup` | Group ID for the init container | `0` | -| `volumePermissions.containerSecurityContext.runAsNonRoot` | runAsNonRoot for the init container | `false` | -| `volumePermissions.containerSecurityContext.seccompProfile.type` | seccompProfile.type for the init container | `RuntimeDefault` | - -### Other Parameters - -| Name | Description | Value | -| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -| `serviceBindings.enabled` | Create secret for service binding (Experimental) | `false` | -| `serviceAccount.create` | Enable creation of ServiceAccount for PostgreSQL pod | `true` | -| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` | -| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | -| `rbac.create` | Create Role and RoleBinding (required for PSP to work) | `false` | -| `rbac.rules` | Custom RBAC rules to set | `[]` | -| `psp.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` | - -### Metrics Parameters - -| Name | Description | Value | -| ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | -| `metrics.enabled` | Start a prometheus exporter | `false` | -| `metrics.image.registry` | PostgreSQL Prometheus Exporter image registry | `REGISTRY_NAME` | -| `metrics.image.repository` | PostgreSQL Prometheus Exporter image repository | `REPOSITORY_NAME/postgres-exporter` | -| `metrics.image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `metrics.image.pullPolicy` | PostgreSQL Prometheus Exporter image pull policy | `IfNotPresent` | -| `metrics.image.pullSecrets` | Specify image pull secrets | `[]` | -| `metrics.collectors` | Control enabled collectors | `{}` | -| `metrics.customMetrics` | Define additional custom metrics | `{}` | -| `metrics.extraEnvVars` | Extra environment variables to add to PostgreSQL Prometheus exporter | `[]` | -| `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | -| `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `metrics.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | -| `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | -| `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | -| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | -| `metrics.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | -| `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `metrics.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL Prometheus exporter containers | `true` | -| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | -| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | -| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `metrics.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL Prometheus exporter containers | `true` | -| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | -| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `metrics.startupProbe.enabled` | Enable startupProbe on PostgreSQL Prometheus exporter containers | `false` | -| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | -| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | -| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | -| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `metrics.containerPorts.metrics` | PostgreSQL Prometheus exporter metrics container port | `9187` | -| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` | -| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `metrics.service.ports.metrics` | PostgreSQL Prometheus Exporter service port | `9187` | -| `metrics.service.clusterIP` | Static clusterIP or None for headless services | `""` | -| `metrics.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | -| `metrics.service.annotations` | Annotations for Prometheus to auto-discover the metrics endpoint | `{}` | -| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` | -| `metrics.serviceMonitor.namespace` | Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) | `""` | -| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` | -| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | -| `metrics.serviceMonitor.labels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | -| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | -| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | -| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | -| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | -| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | -| `metrics.prometheusRule.enabled` | Create a PrometheusRule for Prometheus Operator | `false` | -| `metrics.prometheusRule.namespace` | Namespace for the PrometheusRule Resource (defaults to the Release Namespace) | `""` | -| `metrics.prometheusRule.labels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` | -| `metrics.prometheusRule.rules` | PrometheusRule definitions | `[]` | - -Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, - -```console -helm install my-release \ - --set auth.postgresPassword=secretpassword - oci://REGISTRY_NAME/REPOSITORY_NAME/postgresql -``` - -> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. - -The above command sets the PostgreSQL `postgres` account password to `secretpassword`. - -> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. -> **Warning** Setting a password will be ignored on new installation in case when previous PostgreSQL release was deleted through the helm command. In that case, old PVC will have an old password, and setting it through helm won't take effect. Deleting persistent volumes (PVs) will solve the issue. Refer to [issue 2061](https://github.com/bitnami/charts/issues/2061) for more details - -Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, - -```console -helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/postgresql -``` - -> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. -> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/postgresql/values.yaml) - -## Troubleshooting - -Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). - -## Upgrading - -### To 16.3.0 - -This version introduces image verification for security purposes. To disable it, set `global.security.allowInsecureImages` to `true`. More details at [GitHub issue](https://github.com/bitnami/charts/issues/30850). - -### To 15.0.0 - -This major bump changes the following security defaults: - -- `runAsGroup` is changed from `0` to `1001` -- `readOnlyRootFilesystem` is set to `true` -- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). -- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. - -This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. - -### To 14.0.0 - -This major version adapts the NetworkPolicy objects to the most recent Bitnami standards. Now there is a separate object for `primary` and for `readReplicas`, being located in their corresponding sections. It is also enabled by default in other to comply with the best security standards. - -Check the parameter section for the new value structure. - -### To 13.0.0 - -This major version changes the default PostgreSQL image from 15.x to 16.x. Follow the [official instructions](https://www.postgresql.org/docs/16/upgrading.html) to upgrade to 16.x. - -### To 12.0.0 - -This major version changes the default PostgreSQL image from 14.x to 15.x. Follow the [official instructions](https://www.postgresql.org/docs/15/upgrading.html) to upgrade to 15.x. - -### To 11.0.0 - -In this version the application version was bumped to _14.x_ series. Also, this major release renames several values in this chart and adds missing features, in order to be inline with the rest of assets in the Bitnami charts repository. - -- _replication.enabled_ parameter is deprecated in favor of _architecture_ parameter that accepts two values: _standalone_ and _replication_. -- _replication.singleService_ and _replication.uniqueServices_ parameters are deprecated. When using replication, each statefulset (primary and read-only) has its own headless service & service allowing to connect to read-only replicas through the service (round-robin) or individually. -- _postgresqlPostgresPassword_, _postgresqlUsername_, _postgresqlPassword_, _postgresqlDatabase_, _replication.user_, _replication.password_, and _existingSecret_ parameters have been regrouped under the _auth_ map. The _auth_ map uses a new perspective to configure authentication, so please read carefully each sub-parameter description. -- _extraEnv_ has been deprecated in favor of _primary.extraEnvVars_ and _readReplicas.extraEnvVars_. -- _postgresqlConfiguration_, _pgHbaConfiguration_, _configurationConfigMap_, _postgresqlExtendedConf_, and _extendedConfConfigMap_ have been deprecated in favor of _primary.configuration_, _primary.pgHbaConfiguration_, _primary.existingConfigmap_, _primary.extendedConfiguration_, and _primary.existingExtendedConfigmap_. -- _postgresqlInitdbArgs_, _postgresqlInitdbWalDir_, _initdbScripts_, _initdbScriptsConfigMap_, _initdbScriptsSecret_, _initdbUser_ and _initdbPassword_ have been regrouped under the _primary.initdb_ map. -- _postgresqlMaxConnections_, _postgresqlPostgresConnectionLimit_, _postgresqlDbUserConnectionLimit_, _postgresqlTcpKeepalivesInterval_, _postgresqlTcpKeepalivesIdle_, _postgresqlTcpKeepalivesCount_, _postgresqlStatementTimeout_ and _postgresqlPghbaRemoveFilters_ parameters are deprecated. Use _XXX.extraEnvVars_ instead. -- _primaryAsStandBy_ has been deprecated in favor of _primary.standby_. -- _securityContext_ and _containerSecurityContext_ have been deprecated in favor of _primary.podSecurityContext_, _primary.containerSecurityContext_, _readReplicas.podSecurityContext_, and _readReplicas.containerSecurityContext_. -- _livenessProbe_ and _readinessProbe_ maps have been deprecated in favor of _primary.livenessProbe_, _primary.readinessProbe_, _readReplicas.livenessProbe_ and _readReplicas.readinessProbe_ maps. -- _persistence_ map has been deprecated in favor of _primary.persistence_ and _readReplicas.persistence_ maps. -- _networkPolicy_ map has been completely refactored. -- _service_ map has been deprecated in favor of _primary.service_ and _readReplicas.service_ maps. -- _metrics.service.port_ has been regrouped under the _metrics.service.ports_ map. -- _serviceAccount.enabled_ and _serviceAccount.autoMount_ have been deprecated in favor of _serviceAccount.create_ and _serviceAccount.automountServiceAccountToken_. - -#### How to upgrade to version 11.0.0 - -To upgrade to _11.0.0_ from _10.x_, it should be done reusing the PVC(s) used to hold the PostgreSQL data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is _postgresql_): - -> NOTE: Please, create a backup of your database before running any of these actions. - -1. Obtain the credentials and the names of the PVCs used to hold the PostgreSQL data on your current release: - -```console -export POSTGRESQL_PASSWORD=$(kubectl get secret --namespace default postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode) -export POSTGRESQL_PVC=$(kubectl get pvc -l app.kubernetes.io/instance=postgresql,role=primary -o jsonpath="{.items[0].metadata.name}") -``` - -1. Delete the PostgreSQL statefulset (notice the option _--cascade=false_) and secret: - -```console -kubectl delete statefulsets.apps postgresql-postgresql --namespace default --cascade=false -kubectl delete secret postgresql --namespace default -``` - -1. Upgrade your release using the same PostgreSQL version: - -```console -CURRENT_VERSION=$(kubectl exec postgresql-postgresql-0 -- bash -c 'echo $BITNAMI_IMAGE_VERSION') -helm upgrade postgresql bitnami/postgresql \ - --set auth.postgresPassword=$POSTGRESQL_PASSWORD \ - --set primary.persistence.existingClaim=$POSTGRESQL_PVC \ - --set image.tag=$CURRENT_VERSION -``` - -1. You will have to delete the existing PostgreSQL pod and the new statefulset is going to create a new one - -```console -kubectl delete pod postgresql-postgresql-0 -``` - -1. Finally, you should see the lines below in PostgreSQL container logs: - -```text -$ kubectl logs $(kubectl get pods -l app.kubernetes.io/instance=postgresql,app.kubernetes.io/name=postgresql,app.kubernetes.io/component=primary -o jsonpath="{.items[0].metadata.name}") -... -postgresql 08:05:12.59 INFO ==> Deploying PostgreSQL with persisted data... -... -``` - -> NOTE: the instructions above reuse the same PostgreSQL version you were using in your chart release. Otherwise, you will find an error such as the one below when upgrading since the new chart major version also bumps the application version. To workaround this issue you need to upgrade database, please refer to the [official PostgreSQL documentation](https://www.postgresql.org/docs/current/upgrading.html) for more information about this. - -```console -$ kubectl logs $(kubectl get pods -l app.kubernetes.io/instance=postgresql,app.kubernetes.io/name=postgresql,app.kubernetes.io/component=primary -o jsonpath="{.items[0].metadata.name}") - ... -postgresql 08:10:14.72 INFO ==> ** Starting PostgreSQL ** -2022-02-01 08:10:14.734 GMT [1] FATAL: database files are incompatible with server -2022-02-01 08:10:14.734 GMT [1] DETAIL: The data directory was initialized by PostgreSQL version 11, which is not compatible with this version 14.1. -``` - -### To 10.0.0 - -[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. - -- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. -- Move dependency information from the _requirements.yaml_ to the _Chart.yaml_ -- After running _helm dependency update_, a _Chart.lock_ file is generated containing the same structure used in the previous _requirements.lock_ -- The different fields present in the _Chart.yaml_ file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Chart. -- The term _master_ has been replaced with _primary_ and _slave_ with _readReplicas_ throughout the chart. Role names have changed from _master_ and _slave_ to _primary_ and _read_. - -#### Considerations when upgrading to this version - -- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version does not support Helm v2 anymore. -- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3. - -#### Useful links - -- [Bitnami Tutorial](https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-resolve-helm2-helm3-post-migration-issues-index.html) -- [Helm docs](https://helm.sh/docs/topics/v2_v3_migration) -- [Helm Blog](https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3) - -#### How to upgrade to version 10.0.0 - -To upgrade to _10.0.0_ from _9.x_, it should be done reusing the PVC(s) used to hold the PostgreSQL data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is _postgresql_): - -> NOTE: Please, create a backup of your database before running any of those actions. - -1. Obtain the credentials and the names of the PVCs used to hold the PostgreSQL data on your current release: - -```console -export POSTGRESQL_PASSWORD=$(kubectl get secret --namespace default postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode) -export POSTGRESQL_PVC=$(kubectl get pvc -l app.kubernetes.io/instance=postgresql,role=primary -o jsonpath="{.items[0].metadata.name}") -``` - -1. Delete the PostgreSQL statefulset (notice the option _--cascade=false_): - -```console -kubectl delete statefulsets.apps postgresql-postgresql --namespace default --cascade=false -``` - -1. Upgrade your release using the same PostgreSQL version: - -```console -helm upgrade postgresql bitnami/postgresql \ - --set postgresqlPassword=$POSTGRESQL_PASSWORD \ - --set persistence.existingClaim=$POSTGRESQL_PVC -``` - -1. Delete the existing PostgreSQL pod and the new statefulset will create a new one: - -```console -kubectl delete pod postgresql-postgresql-0 -``` - -1. Finally, you should see the lines below in PostgreSQL container logs: - -```text -$ kubectl logs $(kubectl get pods -l app.kubernetes.io/instance=postgresql,app.kubernetes.io/name=postgresql,role=primary -o jsonpath="{.items[0].metadata.name}") -... -postgresql 08:05:12.59 INFO ==> Deploying PostgreSQL with persisted data... -... -``` - -### To 9.0.0 - -In this version the chart was adapted to follow the [Helm standard labels](https://helm.sh/docs/chart_best_practices/labels/#standard-labels). - -- Some inmutable objects were modified to adopt Helm standard labels introducing backward incompatibilities. - -#### How to upgrade to version 9.0.0 - -To upgrade to _9.0.0_ from _8.x_, it should be done reusing the PVC(s) used to hold the PostgreSQL data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is _postgresql_): - -> NOTE: Please, create a backup of your database before running any of those actions. - -1. Obtain the credentials and the names of the PVCs used to hold the PostgreSQL data on your current release: - -```console -export POSTGRESQL_PASSWORD=$(kubectl get secret --namespace default postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode) -export POSTGRESQL_PVC=$(kubectl get pvc -l app=postgresql,role=master -o jsonpath="{.items[0].metadata.name}") -``` - -1. Delete the PostgreSQL statefulset (notice the option _--cascade=false_): - -```console -kubectl delete statefulsets.apps postgresql-postgresql --namespace default --cascade=false -``` - -1. Upgrade your release using the same PostgreSQL version: - -```console -helm upgrade postgresql bitnami/postgresql \ - --set postgresqlPassword=$POSTGRESQL_PASSWORD \ - --set persistence.existingClaim=$POSTGRESQL_PVC -``` - -1. Delete the existing PostgreSQL pod and the new statefulset will create a new one: - -```console -kubectl delete pod postgresql-postgresql-0 -``` - -1. Finally, you should see the lines below in PostgreSQL container logs: - -```text -$ kubectl logs $(kubectl get pods -l app.kubernetes.io/instance=postgresql,app.kubernetes.io/name=postgresql,role=master -o jsonpath="{.items[0].metadata.name}") -... -postgresql 08:05:12.59 INFO ==> Deploying PostgreSQL with persisted data... -... -``` - -## License - -Copyright © 2025 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. \ No newline at end of file diff --git a/charts/gitea-bitnami/charts/postgresql/charts/common/.helmignore b/charts/gitea-bitnami/charts/postgresql/charts/common/.helmignore deleted file mode 100644 index d0e1084..0000000 --- a/charts/gitea-bitnami/charts/postgresql/charts/common/.helmignore +++ /dev/null @@ -1,26 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ -# img folder -img/ -# Changelog -CHANGELOG.md diff --git a/charts/gitea-bitnami/charts/postgresql/charts/common/Chart.yaml b/charts/gitea-bitnami/charts/postgresql/charts/common/Chart.yaml deleted file mode 100644 index 10fc86a..0000000 --- a/charts/gitea-bitnami/charts/postgresql/charts/common/Chart.yaml +++ /dev/null @@ -1,23 +0,0 @@ -annotations: - category: Infrastructure - licenses: Apache-2.0 -apiVersion: v2 -appVersion: 2.30.0 -description: A Library Helm Chart for grouping common logic between bitnami charts. - This chart is not deployable by itself. -home: https://bitnami.com -icon: https://dyltqmyl993wv.cloudfront.net/downloads/logos/bitnami-mark.png -keywords: -- common -- helper -- template -- function -- bitnami -maintainers: -- name: Broadcom, Inc. All Rights Reserved. - url: https://github.com/bitnami/charts -name: common -sources: -- https://github.com/bitnami/charts/tree/main/bitnami/common -type: library -version: 2.30.0 diff --git a/charts/gitea-bitnami/charts/postgresql/charts/common/README.md b/charts/gitea-bitnami/charts/postgresql/charts/common/README.md deleted file mode 100644 index 0e5f649..0000000 --- a/charts/gitea-bitnami/charts/postgresql/charts/common/README.md +++ /dev/null @@ -1,235 +0,0 @@ -# Bitnami Common Library Chart - -A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between Bitnami charts. - -## TL;DR - -```yaml -dependencies: - - name: common - version: 2.x.x - repository: oci://registry-1.docker.io/bitnamicharts -``` - -```console -helm dependency update -``` - -```yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.names.fullname" . }} -data: - myvalue: "Hello World" -``` - -Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog. - -## Introduction - -This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. - -Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. - -## Prerequisites - -- Kubernetes 1.23+ -- Helm 3.8.0+ - -## Parameters - -## Special input schemas - -### ImageRoot - -```yaml -registry: - type: string - description: Docker registry where the image is located - example: docker.io - -repository: - type: string - description: Repository and image name - example: bitnami/nginx - -tag: - type: string - description: image tag - example: 1.16.1-debian-10-r63 - -pullPolicy: - type: string - description: Specify a imagePullPolicy.' - -pullSecrets: - type: array - items: - type: string - description: Optionally specify an array of imagePullSecrets (evaluated as templates). - -debug: - type: boolean - description: Set to true if you would like to see extra information on logs - example: false - -## An instance would be: -# registry: docker.io -# repository: bitnami/nginx -# tag: 1.16.1-debian-10-r63 -# pullPolicy: IfNotPresent -# debug: false -``` - -### Persistence - -```yaml -enabled: - type: boolean - description: Whether enable persistence. - example: true - -storageClass: - type: string - description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning. - example: "-" - -accessMode: - type: string - description: Access mode for the Persistent Volume Storage. - example: ReadWriteOnce - -size: - type: string - description: Size the Persistent Volume Storage. - example: 8Gi - -path: - type: string - description: Path to be persisted. - example: /bitnami - -## An instance would be: -# enabled: true -# storageClass: "-" -# accessMode: ReadWriteOnce -# size: 8Gi -# path: /bitnami -``` - -### ExistingSecret - -```yaml -name: - type: string - description: Name of the existing secret. - example: mySecret -keyMapping: - description: Mapping between the expected key name and the name of the key in the existing secret. - type: object - -## An instance would be: -# name: mySecret -# keyMapping: -# password: myPasswordKey -``` - -#### Example of use - -When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets. - -```yaml -# templates/secret.yaml ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.names.fullname" . }} - labels: - app: {{ include "common.names.fullname" . }} -type: Opaque -data: - password: {{ .Values.password | b64enc | quote }} - -# templates/dpl.yaml ---- -... - env: - - name: PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }} - key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }} -... - -# values.yaml ---- -name: mySecret -keyMapping: - password: myPasswordKey -``` - -### ValidateValue - -#### NOTES.txt - -```console -{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}} -{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}} - -{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} -``` - -If we force those values to be empty we will see some alerts - -```console -helm install test mychart --set path.to.value00="",path.to.value01="" - 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: - - export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 -d) - - 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value: - - export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 -d) -``` - -## Upgrading - -### To 1.0.0 - -[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. - -#### What changes were introduced in this major version? - -- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. -- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. -- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts - -#### Considerations when upgrading to this version - -- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues -- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore -- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 - -#### Useful links - -- -- -- - -## License - -Copyright © 2025 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. diff --git a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_affinities.tpl b/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_affinities.tpl deleted file mode 100644 index d387dbe..0000000 --- a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_affinities.tpl +++ /dev/null @@ -1,155 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} - -{{/* -Return a soft nodeAffinity definition -{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} -*/}} -{{- define "common.affinities.nodes.soft" -}} -preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: {{ .key }} - operator: In - values: - {{- range .values }} - - {{ . | quote }} - {{- end }} - weight: 1 -{{- end -}} - -{{/* -Return a hard nodeAffinity definition -{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} -*/}} -{{- define "common.affinities.nodes.hard" -}} -requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: {{ .key }} - operator: In - values: - {{- range .values }} - - {{ . | quote }} - {{- end }} -{{- end -}} - -{{/* -Return a nodeAffinity definition -{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} -*/}} -{{- define "common.affinities.nodes" -}} - {{- if eq .type "soft" }} - {{- include "common.affinities.nodes.soft" . -}} - {{- else if eq .type "hard" }} - {{- include "common.affinities.nodes.hard" . -}} - {{- end -}} -{{- end -}} - -{{/* -Return a topologyKey definition -{{ include "common.affinities.topologyKey" (dict "topologyKey" "BAR") -}} -*/}} -{{- define "common.affinities.topologyKey" -}} -{{ .topologyKey | default "kubernetes.io/hostname" -}} -{{- end -}} - -{{/* -Return a soft podAffinity/podAntiAffinity definition -{{ include "common.affinities.pods.soft" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "extraNamespaces" (list "namespace1" "namespace2") "context" $) -}} -*/}} -{{- define "common.affinities.pods.soft" -}} -{{- $component := default "" .component -}} -{{- $customLabels := default (dict) .customLabels -}} -{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} -{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}} -{{- $extraNamespaces := default (list) .extraNamespaces -}} -preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 10 }} - {{- if not (empty $component) }} - {{ printf "app.kubernetes.io/component: %s" $component }} - {{- end }} - {{- range $key, $value := $extraMatchLabels }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- if $extraNamespaces }} - namespaces: - - {{ .context.Release.Namespace }} - {{- with $extraNamespaces }} - {{ include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }} - {{- end }} - {{- end }} - topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} - weight: 1 - {{- range $extraPodAffinityTerms }} - - podAffinityTerm: - labelSelector: - matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 10 }} - {{- if not (empty $component) }} - {{ printf "app.kubernetes.io/component: %s" $component }} - {{- end }} - {{- range $key, $value := .extraMatchLabels }} - {{ $key }}: {{ $value | quote }} - {{- end }} - topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} - weight: {{ .weight | default 1 -}} - {{- end -}} -{{- end -}} - -{{/* -Return a hard podAffinity/podAntiAffinity definition -{{ include "common.affinities.pods.hard" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "extraNamespaces" (list "namespace1" "namespace2") "context" $) -}} -*/}} -{{- define "common.affinities.pods.hard" -}} -{{- $component := default "" .component -}} -{{- $customLabels := default (dict) .customLabels -}} -{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} -{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}} -{{- $extraNamespaces := default (list) .extraNamespaces -}} -requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 8 }} - {{- if not (empty $component) }} - {{ printf "app.kubernetes.io/component: %s" $component }} - {{- end }} - {{- range $key, $value := $extraMatchLabels }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- if $extraNamespaces }} - namespaces: - - {{ .context.Release.Namespace }} - {{- with $extraNamespaces }} - {{ include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }} - {{- end }} - {{- end }} - topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} - {{- range $extraPodAffinityTerms }} - - labelSelector: - matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 8 }} - {{- if not (empty $component) }} - {{ printf "app.kubernetes.io/component: %s" $component }} - {{- end }} - {{- range $key, $value := .extraMatchLabels }} - {{ $key }}: {{ $value | quote }} - {{- end }} - topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} - {{- end -}} -{{- end -}} - -{{/* -Return a podAffinity/podAntiAffinity definition -{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} -*/}} -{{- define "common.affinities.pods" -}} - {{- if eq .type "soft" }} - {{- include "common.affinities.pods.soft" . -}} - {{- else if eq .type "hard" }} - {{- include "common.affinities.pods.hard" . -}} - {{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_capabilities.tpl b/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_capabilities.tpl deleted file mode 100644 index 6423fb1..0000000 --- a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_capabilities.tpl +++ /dev/null @@ -1,253 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} - -{{/* -Return the target Kubernetes version -*/}} -{{- define "common.capabilities.kubeVersion" -}} -{{- default (default .Capabilities.KubeVersion.Version .Values.kubeVersion) ((.Values.global).kubeVersion) -}} -{{- end -}} - -{{/* -Return true if the apiVersion is supported -Usage: -{{ include "common.capabilities.apiVersions.has" (dict "version" "batch/v1" "context" $) }} -*/}} -{{- define "common.capabilities.apiVersions.has" -}} -{{- $providedAPIVersions := default .context.Values.apiVersions ((.context.Values.global).apiVersions) -}} -{{- if and (empty $providedAPIVersions) (.context.Capabilities.APIVersions.Has .version) -}} - {{- true -}} -{{- else if has .version $providedAPIVersions -}} - {{- true -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for poddisruptionbudget. -*/}} -{{- define "common.capabilities.policy.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}} -{{- print "policy/v1beta1" -}} -{{- else -}} -{{- print "policy/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for networkpolicy. -*/}} -{{- define "common.capabilities.networkPolicy.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.7-0" $kubeVersion) -}} -{{- print "extensions/v1beta1" -}} -{{- else -}} -{{- print "networking.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for job. -*/}} -{{- define "common.capabilities.job.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}} -{{- print "batch/v1beta1" -}} -{{- else -}} -{{- print "batch/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for cronjob. -*/}} -{{- define "common.capabilities.cronjob.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}} -{{- print "batch/v1beta1" -}} -{{- else -}} -{{- print "batch/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for daemonset. -*/}} -{{- define "common.capabilities.daemonset.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} -{{- print "extensions/v1beta1" -}} -{{- else -}} -{{- print "apps/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for deployment. -*/}} -{{- define "common.capabilities.deployment.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} -{{- print "extensions/v1beta1" -}} -{{- else -}} -{{- print "apps/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for statefulset. -*/}} -{{- define "common.capabilities.statefulset.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} -{{- print "apps/v1beta1" -}} -{{- else -}} -{{- print "apps/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for ingress. -*/}} -{{- define "common.capabilities.ingress.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if (.Values.ingress).apiVersion -}} -{{- .Values.ingress.apiVersion -}} -{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} -{{- print "extensions/v1beta1" -}} -{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.19-0" $kubeVersion) -}} -{{- print "networking.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "networking.k8s.io/v1" -}} -{{- end }} -{{- end -}} - -{{/* -Return the appropriate apiVersion for RBAC resources. -*/}} -{{- define "common.capabilities.rbac.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.17-0" $kubeVersion) -}} -{{- print "rbac.authorization.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "rbac.authorization.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for CRDs. -*/}} -{{- define "common.capabilities.crd.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.19-0" $kubeVersion) -}} -{{- print "apiextensions.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "apiextensions.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for APIService. -*/}} -{{- define "common.capabilities.apiService.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.10-0" $kubeVersion) -}} -{{- print "apiregistration.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "apiregistration.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for Horizontal Pod Autoscaler. -*/}} -{{- define "common.capabilities.hpa.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} -{{- if .beta2 -}} -{{- print "autoscaling/v2beta2" -}} -{{- else -}} -{{- print "autoscaling/v2beta1" -}} -{{- end -}} -{{- else -}} -{{- print "autoscaling/v2" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for Vertical Pod Autoscaler. -*/}} -{{- define "common.capabilities.vpa.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.11-0" $kubeVersion) -}} -{{- print "autoscaling/v1beta1" -}} -{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} -{{- print "autoscaling/v1beta2" -}} -{{- else -}} -{{- print "autoscaling/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Returns true if PodSecurityPolicy is supported -*/}} -{{- define "common.capabilities.psp.supported" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if or (empty $kubeVersion) (semverCompare "<1.25-0" $kubeVersion) -}} - {{- true -}} -{{- end -}} -{{- end -}} - -{{/* -Returns true if AdmissionConfiguration is supported -*/}} -{{- define "common.capabilities.admissionConfiguration.supported" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if or (empty $kubeVersion) (not (semverCompare "<1.23-0" $kubeVersion)) -}} - {{- true -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for AdmissionConfiguration. -*/}} -{{- define "common.capabilities.admissionConfiguration.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} -{{- print "apiserver.config.k8s.io/v1alpha1" -}} -{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} -{{- print "apiserver.config.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "apiserver.config.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for PodSecurityConfiguration. -*/}} -{{- define "common.capabilities.podSecurityConfiguration.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} -{{- print "pod-security.admission.config.k8s.io/v1alpha1" -}} -{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} -{{- print "pod-security.admission.config.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "pod-security.admission.config.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Returns true if the used Helm version is 3.3+. -A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. -This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error. -**To be removed when the catalog's minimun Helm version is 3.3** -*/}} -{{- define "common.capabilities.supportsHelmVersion" -}} -{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }} - {{- true -}} -{{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_compatibility.tpl b/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_compatibility.tpl deleted file mode 100644 index 19c26db..0000000 --- a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_compatibility.tpl +++ /dev/null @@ -1,46 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} - -{{/* -Return true if the detected platform is Openshift -Usage: -{{- include "common.compatibility.isOpenshift" . -}} -*/}} -{{- define "common.compatibility.isOpenshift" -}} -{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} -{{- true -}} -{{- end -}} -{{- end -}} - -{{/* -Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC -Usage: -{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}} -*/}} -{{- define "common.compatibility.renderSecurityContext" -}} -{{- $adaptedContext := .secContext -}} - -{{- if (((.context.Values.global).compatibility).openshift) -}} - {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} - {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} - {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} - {{- if not .secContext.seLinuxOptions -}} - {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}} - {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} - {{- end -}} - {{- end -}} -{{- end -}} -{{/* Remove empty seLinuxOptions object if global.compatibility.omitEmptySeLinuxOptions is set to true */}} -{{- if and (((.context.Values.global).compatibility).omitEmptySeLinuxOptions) (not .secContext.seLinuxOptions) -}} - {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} -{{- end -}} -{{/* Remove fields that are disregarded when running the container in privileged mode */}} -{{- if $adaptedContext.privileged -}} - {{- $adaptedContext = omit $adaptedContext "capabilities" -}} -{{- end -}} -{{- omit $adaptedContext "enabled" | toYaml -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_errors.tpl b/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_errors.tpl deleted file mode 100644 index 93f3ffc..0000000 --- a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_errors.tpl +++ /dev/null @@ -1,85 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Throw error when upgrading using empty passwords values that must not be empty. - -Usage: -{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}} -{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}} -{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }} - -Required password params: - - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error. - - context - Context - Required. Parent context. -*/}} -{{- define "common.errors.upgrade.passwords.empty" -}} - {{- $validationErrors := join "" .validationErrors -}} - {{- if and $validationErrors .context.Release.IsUpgrade -}} - {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}} - {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}} - {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}} - {{- $errorString = print $errorString "\n%s" -}} - {{- printf $errorString $validationErrors | fail -}} - {{- end -}} -{{- end -}} - -{{/* -Throw error when original container images are replaced. -The error can be bypassed by setting the "global.security.allowInsecureImages" to true. In this case, -a warning message will be shown instead. - -Usage: -{{ include "common.errors.insecureImages" (dict "images" (list .Values.path.to.the.imageRoot) "context" $) }} -*/}} -{{- define "common.errors.insecureImages" -}} -{{- $relocatedImages := list -}} -{{- $replacedImages := list -}} -{{- $retaggedImages := list -}} -{{- $globalRegistry := ((.context.Values.global).imageRegistry) -}} -{{- $originalImages := .context.Chart.Annotations.images -}} -{{- range .images -}} - {{- $registryName := default .registry $globalRegistry -}} - {{- $fullImageNameNoTag := printf "%s/%s" $registryName .repository -}} - {{- $fullImageName := printf "%s:%s" $fullImageNameNoTag .tag -}} - {{- if not (contains $fullImageNameNoTag $originalImages) -}} - {{- if not (contains $registryName $originalImages) -}} - {{- $relocatedImages = append $relocatedImages $fullImageName -}} - {{- else if not (contains .repository $originalImages) -}} - {{- $replacedImages = append $replacedImages $fullImageName -}} - {{- end -}} - {{- end -}} - {{- if not (contains (printf "%s:%s" .repository .tag) $originalImages) -}} - {{- $retaggedImages = append $retaggedImages $fullImageName -}} - {{- end -}} -{{- end -}} - -{{- if and (or (gt (len $relocatedImages) 0) (gt (len $replacedImages) 0)) (((.context.Values.global).security).allowInsecureImages) -}} - {{- print "\n\n⚠ SECURITY WARNING: Verifying original container images was skipped. Please note this Helm chart was designed, tested, and validated on multiple platforms using a specific set of Bitnami and Tanzu Application Catalog containers. Substituting other containers is likely to cause degraded security and performance, broken chart features, and missing environment variables.\n" -}} -{{- else if (or (gt (len $relocatedImages) 0) (gt (len $replacedImages) 0)) -}} - {{- $errorString := "Original containers have been substituted for unrecognized ones. Deploying this chart with non-standard containers is likely to cause degraded security and performance, broken chart features, and missing environment variables." -}} - {{- $errorString = print $errorString "\n\nUnrecognized images:" -}} - {{- range (concat $relocatedImages $replacedImages) -}} - {{- $errorString = print $errorString "\n - " . -}} - {{- end -}} - {{- if or (contains "docker.io/bitnami/" $originalImages) (contains "docker.io/bitnamiprem/" $originalImages) -}} - {{- $errorString = print "\n\n⚠ ERROR: " $errorString -}} - {{- $errorString = print $errorString "\n\nIf you are sure you want to proceed with non-standard containers, you can skip container image verification by setting the global parameter 'global.security.allowInsecureImages' to true." -}} - {{- $errorString = print $errorString "\nFurther information can be obtained at https://github.com/bitnami/charts/issues/30850" -}} - {{- print $errorString | fail -}} - {{- else if gt (len $replacedImages) 0 -}} - {{- $errorString = print "\n\n⚠ WARNING: " $errorString -}} - {{- print $errorString -}} - {{- end -}} -{{- else if gt (len $retaggedImages) 0 -}} - {{- $warnString := "\n\n⚠ WARNING: Original containers have been retagged. Please note this Helm chart was tested, and validated on multiple platforms using a specific set of Tanzu Application Catalog containers. Substituting original image tags could cause unexpected behavior." -}} - {{- $warnString = print $warnString "\n\nRetagged images:" -}} - {{- range $retaggedImages -}} - {{- $warnString = print $warnString "\n - " . -}} - {{- end -}} - {{- print $warnString -}} -{{- end -}} -{{- end -}} \ No newline at end of file diff --git a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_images.tpl b/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_images.tpl deleted file mode 100644 index 76bb7ce..0000000 --- a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_images.tpl +++ /dev/null @@ -1,115 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Return the proper image name. -If image tag and digest are not defined, termination fallbacks to chart appVersion. -{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global "chart" .Chart ) }} -*/}} -{{- define "common.images.image" -}} -{{- $registryName := default .imageRoot.registry ((.global).imageRegistry) -}} -{{- $repositoryName := .imageRoot.repository -}} -{{- $separator := ":" -}} -{{- $termination := .imageRoot.tag | toString -}} - -{{- if not .imageRoot.tag }} - {{- if .chart }} - {{- $termination = .chart.AppVersion | toString -}} - {{- end -}} -{{- end -}} -{{- if .imageRoot.digest }} - {{- $separator = "@" -}} - {{- $termination = .imageRoot.digest | toString -}} -{{- end -}} -{{- if $registryName }} - {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} -{{- else -}} - {{- printf "%s%s%s" $repositoryName $separator $termination -}} -{{- end -}} -{{- end -}} - -{{/* -Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) -{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }} -*/}} -{{- define "common.images.pullSecrets" -}} - {{- $pullSecrets := list }} - - {{- range ((.global).imagePullSecrets) -}} - {{- if kindIs "map" . -}} - {{- $pullSecrets = append $pullSecrets .name -}} - {{- else -}} - {{- $pullSecrets = append $pullSecrets . -}} - {{- end }} - {{- end -}} - - {{- range .images -}} - {{- range .pullSecrets -}} - {{- if kindIs "map" . -}} - {{- $pullSecrets = append $pullSecrets .name -}} - {{- else -}} - {{- $pullSecrets = append $pullSecrets . -}} - {{- end -}} - {{- end -}} - {{- end -}} - - {{- if (not (empty $pullSecrets)) -}} -imagePullSecrets: - {{- range $pullSecrets | uniq }} - - name: {{ . }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Return the proper Docker Image Registry Secret Names evaluating values as templates -{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }} -*/}} -{{- define "common.images.renderPullSecrets" -}} - {{- $pullSecrets := list }} - {{- $context := .context }} - - {{- range (($context.Values.global).imagePullSecrets) -}} - {{- if kindIs "map" . -}} - {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}} - {{- else -}} - {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} - {{- end -}} - {{- end -}} - - {{- range .images -}} - {{- range .pullSecrets -}} - {{- if kindIs "map" . -}} - {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}} - {{- else -}} - {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} - {{- end -}} - {{- end -}} - {{- end -}} - - {{- if (not (empty $pullSecrets)) -}} -imagePullSecrets: - {{- range $pullSecrets | uniq }} - - name: {{ . }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Return the proper image version (ingores image revision/prerelease info & fallbacks to chart appVersion) -{{ include "common.images.version" ( dict "imageRoot" .Values.path.to.the.image "chart" .Chart ) }} -*/}} -{{- define "common.images.version" -}} -{{- $imageTag := .imageRoot.tag | toString -}} -{{/* regexp from https://github.com/Masterminds/semver/blob/23f51de38a0866c5ef0bfc42b3f735c73107b700/version.go#L41-L44 */}} -{{- if regexMatch `^([0-9]+)(\.[0-9]+)?(\.[0-9]+)?(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?$` $imageTag -}} - {{- $version := semver $imageTag -}} - {{- printf "%d.%d.%d" $version.Major $version.Minor $version.Patch -}} -{{- else -}} - {{- print .chart.AppVersion -}} -{{- end -}} -{{- end -}} - diff --git a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_ingress.tpl b/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_ingress.tpl deleted file mode 100644 index 7d2b879..0000000 --- a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_ingress.tpl +++ /dev/null @@ -1,73 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} - -{{/* -Generate backend entry that is compatible with all Kubernetes API versions. - -Usage: -{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }} - -Params: - - serviceName - String. Name of an existing service backend - - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer. - - context - Dict - Required. The context for the template evaluation. -*/}} -{{- define "common.ingress.backend" -}} -{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}} -{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}} -serviceName: {{ .serviceName }} -servicePort: {{ .servicePort }} -{{- else -}} -service: - name: {{ .serviceName }} - port: - {{- if typeIs "string" .servicePort }} - name: {{ .servicePort }} - {{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }} - number: {{ .servicePort | int }} - {{- end }} -{{- end -}} -{{- end -}} - -{{/* -Print "true" if the API pathType field is supported -Usage: -{{ include "common.ingress.supportsPathType" . }} -*/}} -{{- define "common.ingress.supportsPathType" -}} -{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}} -{{- print "false" -}} -{{- else -}} -{{- print "true" -}} -{{- end -}} -{{- end -}} - -{{/* -Returns true if the ingressClassname field is supported -Usage: -{{ include "common.ingress.supportsIngressClassname" . }} -*/}} -{{- define "common.ingress.supportsIngressClassname" -}} -{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "false" -}} -{{- else -}} -{{- print "true" -}} -{{- end -}} -{{- end -}} - -{{/* -Return true if cert-manager required annotations for TLS signed -certificates are set in the Ingress annotations -Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations -Usage: -{{ include "common.ingress.certManagerRequest" ( dict "annotations" .Values.path.to.the.ingress.annotations ) }} -*/}} -{{- define "common.ingress.certManagerRequest" -}} -{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") (hasKey .annotations "kubernetes.io/tls-acme") }} - {{- true -}} -{{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_labels.tpl b/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_labels.tpl deleted file mode 100644 index 0a0cc54..0000000 --- a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_labels.tpl +++ /dev/null @@ -1,46 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} - -{{/* -Kubernetes standard labels -{{ include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) -}} -*/}} -{{- define "common.labels.standard" -}} -{{- if and (hasKey . "customLabels") (hasKey . "context") -}} -{{- $default := dict "app.kubernetes.io/name" (include "common.names.name" .context) "helm.sh/chart" (include "common.names.chart" .context) "app.kubernetes.io/instance" .context.Release.Name "app.kubernetes.io/managed-by" .context.Release.Service -}} -{{- with .context.Chart.AppVersion -}} -{{- $_ := set $default "app.kubernetes.io/version" . -}} -{{- end -}} -{{ template "common.tplvalues.merge" (dict "values" (list .customLabels $default) "context" .context) }} -{{- else -}} -app.kubernetes.io/name: {{ include "common.names.name" . }} -helm.sh/chart: {{ include "common.names.chart" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- with .Chart.AppVersion }} -app.kubernetes.io/version: {{ . | quote }} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Labels used on immutable fields such as deploy.spec.selector.matchLabels or svc.spec.selector -{{ include "common.labels.matchLabels" (dict "customLabels" .Values.podLabels "context" $) -}} - -We don't want to loop over custom labels appending them to the selector -since it's very likely that it will break deployments, services, etc. -However, it's important to overwrite the standard labels if the user -overwrote them on metadata.labels fields. -*/}} -{{- define "common.labels.matchLabels" -}} -{{- if and (hasKey . "customLabels") (hasKey . "context") -}} -{{ merge (pick (include "common.tplvalues.render" (dict "value" .customLabels "context" .context) | fromYaml) "app.kubernetes.io/name" "app.kubernetes.io/instance") (dict "app.kubernetes.io/name" (include "common.names.name" .context) "app.kubernetes.io/instance" .context.Release.Name ) | toYaml }} -{{- else -}} -app.kubernetes.io/name: {{ include "common.names.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_names.tpl b/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_names.tpl deleted file mode 100644 index ba83956..0000000 --- a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_names.tpl +++ /dev/null @@ -1,71 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "common.names.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "common.names.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "common.names.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create a default fully qualified dependency name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -Usage: -{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }} -*/}} -{{- define "common.names.dependency.fullname" -}} -{{- if .chartValues.fullnameOverride -}} -{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .chartName .chartValues.nameOverride -}} -{{- if contains $name .context.Release.Name -}} -{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Allow the release namespace to be overridden for multi-namespace deployments in combined charts. -*/}} -{{- define "common.names.namespace" -}} -{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a fully qualified app name adding the installation's namespace. -*/}} -{{- define "common.names.fullname.namespace" -}} -{{- printf "%s-%s" (include "common.names.fullname" .) (include "common.names.namespace" .) | trunc 63 | trimSuffix "-" -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_resources.tpl b/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_resources.tpl deleted file mode 100644 index d8a43e1..0000000 --- a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_resources.tpl +++ /dev/null @@ -1,50 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} - -{{/* -Return a resource request/limit object based on a given preset. -These presets are for basic testing and not meant to be used in production -{{ include "common.resources.preset" (dict "type" "nano") -}} -*/}} -{{- define "common.resources.preset" -}} -{{/* The limits are the requests increased by 50% (except ephemeral-storage and xlarge/2xlarge sizes)*/}} -{{- $presets := dict - "nano" (dict - "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") - "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "2Gi") - ) - "micro" (dict - "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") - "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "2Gi") - ) - "small" (dict - "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") - "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "2Gi") - ) - "medium" (dict - "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") - "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "2Gi") - ) - "large" (dict - "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") - "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "2Gi") - ) - "xlarge" (dict - "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi") - "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "2Gi") - ) - "2xlarge" (dict - "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi") - "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "2Gi") - ) - }} -{{- if hasKey $presets .type -}} -{{- index $presets .type | toYaml -}} -{{- else -}} -{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}} -{{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_secrets.tpl b/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_secrets.tpl deleted file mode 100644 index bfef469..0000000 --- a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_secrets.tpl +++ /dev/null @@ -1,192 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Generate secret name. - -Usage: -{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }} - -Params: - - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user - to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. - +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret - - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment. - - context - Dict - Required. The context for the template evaluation. -*/}} -{{- define "common.secrets.name" -}} -{{- $name := (include "common.names.fullname" .context) -}} - -{{- if .defaultNameSuffix -}} -{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{- with .existingSecret -}} -{{- if not (typeIs "string" .) -}} -{{- with .name -}} -{{- $name = . -}} -{{- end -}} -{{- else -}} -{{- $name = . -}} -{{- end -}} -{{- end -}} - -{{- printf "%s" $name -}} -{{- end -}} - -{{/* -Generate secret key. - -Usage: -{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }} - -Params: - - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user - to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. - +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret - - key - String - Required. Name of the key in the secret. -*/}} -{{- define "common.secrets.key" -}} -{{- $key := .key -}} - -{{- if .existingSecret -}} - {{- if not (typeIs "string" .existingSecret) -}} - {{- if .existingSecret.keyMapping -}} - {{- $key = index .existingSecret.keyMapping $.key -}} - {{- end -}} - {{- end }} -{{- end -}} - -{{- printf "%s" $key -}} -{{- end -}} - -{{/* -Generate secret password or retrieve one if already created. - -Usage: -{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "honorProvidedValues" false "context" $) }} - -Params: - - secret - String - Required - Name of the 'Secret' resource where the password is stored. - - key - String - Required - Name of the key in the secret. - - providedValues - List - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. - - length - int - Optional - Length of the generated random password. - - strong - Boolean - Optional - Whether to add symbols to the generated random password. - - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. - - context - Context - Required - Parent context. - - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. - - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. - - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. - - honorProvidedValues - Boolean - Optional - Default to false. If set to true, the values in providedValues have higher priority than an existing secret -The order in which this function returns a secret password: - 1. Password provided via the values.yaml if honorProvidedValues = true - (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned) - 2. Already existing 'Secret' resource - (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) - 3. Password provided via the values.yaml if honorProvidedValues = false - (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned) - 4. Randomly generated secret password - (A new random secret password with the length specified in the 'length' parameter will be generated and returned) - -*/}} -{{- define "common.secrets.passwords.manage" -}} - -{{- $password := "" }} -{{- $subchart := "" }} -{{- $chartName := default "" .chartName }} -{{- $passwordLength := default 10 .length }} -{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} -{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }} -{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} -{{- if $secretData }} - {{- if hasKey $secretData .key }} - {{- $password = index $secretData .key | b64dec }} - {{- else if not (eq .failOnNew false) }} - {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} - {{- end -}} -{{- end }} - -{{- if and $providedPasswordValue .honorProvidedValues }} - {{- $password = $providedPasswordValue | toString }} -{{- end }} - -{{- if not $password }} - {{- if $providedPasswordValue }} - {{- $password = $providedPasswordValue | toString }} - {{- else }} - {{- if .context.Values.enabled }} - {{- $subchart = $chartName }} - {{- end -}} - - {{- if not (eq .failOnNew false) }} - {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} - {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} - {{- $passwordValidationErrors := list $requiredPasswordError -}} - {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} - {{- end }} - - {{- if .strong }} - {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} - {{- $password = randAscii $passwordLength }} - {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} - {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} - {{- else }} - {{- $password = randAlphaNum $passwordLength }} - {{- end }} - {{- end -}} -{{- end -}} -{{- if not .skipB64enc }} -{{- $password = $password | b64enc }} -{{- end -}} -{{- if .skipQuote -}} -{{- printf "%s" $password -}} -{{- else -}} -{{- printf "%s" $password | quote -}} -{{- end -}} -{{- end -}} - -{{/* -Reuses the value from an existing secret, otherwise sets its value to a default value. - -Usage: -{{ include "common.secrets.lookup" (dict "secret" "secret-name" "key" "keyName" "defaultValue" .Values.myValue "context" $) }} - -Params: - - secret - String - Required - Name of the 'Secret' resource where the password is stored. - - key - String - Required - Name of the key in the secret. - - defaultValue - String - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. - - context - Context - Required - Parent context. - -*/}} -{{- define "common.secrets.lookup" -}} -{{- $value := "" -}} -{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data -}} -{{- if and $secretData (hasKey $secretData .key) -}} - {{- $value = index $secretData .key -}} -{{- else if .defaultValue -}} - {{- $value = .defaultValue | toString | b64enc -}} -{{- end -}} -{{- if $value -}} -{{- printf "%s" $value -}} -{{- end -}} -{{- end -}} - -{{/* -Returns whether a previous generated secret already exists - -Usage: -{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }} - -Params: - - secret - String - Required - Name of the 'Secret' resource where the password is stored. - - context - Context - Required - Parent context. -*/}} -{{- define "common.secrets.exists" -}} -{{- $secret := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret) }} -{{- if $secret }} - {{- true -}} -{{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_storage.tpl b/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_storage.tpl deleted file mode 100644 index aa75856..0000000 --- a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_storage.tpl +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} - -{{/* -Return the proper Storage Class -{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} -*/}} -{{- define "common.storage.class" -}} -{{- $storageClass := (.global).storageClass | default .persistence.storageClass | default (.global).defaultStorageClass | default "" -}} -{{- if $storageClass -}} - {{- if (eq "-" $storageClass) -}} - {{- printf "storageClassName: \"\"" -}} - {{- else -}} - {{- printf "storageClassName: %s" $storageClass -}} - {{- end -}} -{{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_tplvalues.tpl b/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_tplvalues.tpl deleted file mode 100644 index a04f4c1..0000000 --- a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_tplvalues.tpl +++ /dev/null @@ -1,52 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Renders a value that contains template perhaps with scope if the scope is present. -Usage: -{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ ) }} -{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ "scope" $app ) }} -*/}} -{{- define "common.tplvalues.render" -}} -{{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }} -{{- if contains "{{" (toJson .value) }} - {{- if .scope }} - {{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }} - {{- else }} - {{- tpl $value .context }} - {{- end }} -{{- else }} - {{- $value }} -{{- end }} -{{- end -}} - -{{/* -Merge a list of values that contains template after rendering them. -Merge precedence is consistent with http://masterminds.github.io/sprig/dicts.html#merge-mustmerge -Usage: -{{ include "common.tplvalues.merge" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }} -*/}} -{{- define "common.tplvalues.merge" -}} -{{- $dst := dict -}} -{{- range .values -}} -{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | merge $dst -}} -{{- end -}} -{{ $dst | toYaml }} -{{- end -}} - -{{/* -Merge a list of values that contains template after rendering them. -Merge precedence is consistent with https://masterminds.github.io/sprig/dicts.html#mergeoverwrite-mustmergeoverwrite -Usage: -{{ include "common.tplvalues.merge-overwrite" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }} -*/}} -{{- define "common.tplvalues.merge-overwrite" -}} -{{- $dst := dict -}} -{{- range .values -}} -{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | mergeOverwrite $dst -}} -{{- end -}} -{{ $dst | toYaml }} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_utils.tpl b/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_utils.tpl deleted file mode 100644 index d53c74a..0000000 --- a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_utils.tpl +++ /dev/null @@ -1,77 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Print instructions to get a secret value. -Usage: -{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }} -*/}} -{{- define "common.utils.secret.getvalue" -}} -{{- $varname := include "common.utils.fieldToEnvVar" . -}} -export {{ $varname }}=$(kubectl get secret --namespace {{ include "common.names.namespace" .context | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 -d) -{{- end -}} - -{{/* -Build env var name given a field -Usage: -{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }} -*/}} -{{- define "common.utils.fieldToEnvVar" -}} - {{- $fieldNameSplit := splitList "-" .field -}} - {{- $upperCaseFieldNameSplit := list -}} - - {{- range $fieldNameSplit -}} - {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}} - {{- end -}} - - {{ join "_" $upperCaseFieldNameSplit }} -{{- end -}} - -{{/* -Gets a value from .Values given -Usage: -{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }} -*/}} -{{- define "common.utils.getValueFromKey" -}} -{{- $splitKey := splitList "." .key -}} -{{- $value := "" -}} -{{- $latestObj := $.context.Values -}} -{{- range $splitKey -}} - {{- if not $latestObj -}} - {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}} - {{- end -}} - {{- $value = ( index $latestObj . ) -}} - {{- $latestObj = $value -}} -{{- end -}} -{{- printf "%v" (default "" $value) -}} -{{- end -}} - -{{/* -Returns first .Values key with a defined value or first of the list if all non-defined -Usage: -{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }} -*/}} -{{- define "common.utils.getKeyFromList" -}} -{{- $key := first .keys -}} -{{- $reverseKeys := reverse .keys }} -{{- range $reverseKeys }} - {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }} - {{- if $value -}} - {{- $key = . }} - {{- end -}} -{{- end -}} -{{- printf "%s" $key -}} -{{- end -}} - -{{/* -Checksum a template at "path" containing a *single* resource (ConfigMap,Secret) for use in pod annotations, excluding the metadata (see #18376). -Usage: -{{ include "common.utils.checksumTemplate" (dict "path" "/configmap.yaml" "context" $) }} -*/}} -{{- define "common.utils.checksumTemplate" -}} -{{- $obj := include (print .context.Template.BasePath .path) .context | fromYaml -}} -{{ omit $obj "apiVersion" "kind" "metadata" | toYaml | sha256sum }} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_warnings.tpl b/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_warnings.tpl deleted file mode 100644 index 62c44df..0000000 --- a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/_warnings.tpl +++ /dev/null @@ -1,109 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Warning about using rolling tag. -Usage: -{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }} -*/}} -{{- define "common.warnings.rollingTag" -}} - -{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} -WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. -+info https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-understand-rolling-tags-containers-index.html -{{- end }} -{{- end -}} - -{{/* -Warning about replaced images from the original. -Usage: -{{ include "common.warnings.modifiedImages" (dict "images" (list .Values.path.to.the.imageRoot) "context" $) }} -*/}} -{{- define "common.warnings.modifiedImages" -}} -{{- $affectedImages := list -}} -{{- $printMessage := false -}} -{{- $originalImages := .context.Chart.Annotations.images -}} -{{- range .images -}} - {{- $fullImageName := printf (printf "%s/%s:%s" .registry .repository .tag) -}} - {{- if not (contains $fullImageName $originalImages) }} - {{- $affectedImages = append $affectedImages (printf "%s/%s:%s" .registry .repository .tag) -}} - {{- $printMessage = true -}} - {{- end -}} -{{- end -}} -{{- if $printMessage }} - -⚠ SECURITY WARNING: Original containers have been substituted. This Helm chart was designed, tested, and validated on multiple platforms using a specific set of Bitnami and Tanzu Application Catalog containers. Substituting other containers is likely to cause degraded security and performance, broken chart features, and missing environment variables. - -Substituted images detected: -{{- range $affectedImages }} - - {{ . }} -{{- end }} -{{- end -}} -{{- end -}} - -{{/* -Warning about not setting the resource object in all deployments. -Usage: -{{ include "common.warnings.resources" (dict "sections" (list "path1" "path2") context $) }} -Example: -{{- include "common.warnings.resources" (dict "sections" (list "csiProvider.provider" "server" "volumePermissions" "") "context" $) }} -The list in the example assumes that the following values exist: - - csiProvider.provider.resources - - server.resources - - volumePermissions.resources - - resources -*/}} -{{- define "common.warnings.resources" -}} -{{- $values := .context.Values -}} -{{- $printMessage := false -}} -{{ $affectedSections := list -}} -{{- range .sections -}} - {{- if eq . "" -}} - {{/* Case where the resources section is at the root (one main deployment in the chart) */}} - {{- if not (index $values "resources") -}} - {{- $affectedSections = append $affectedSections "resources" -}} - {{- $printMessage = true -}} - {{- end -}} - {{- else -}} - {{/* Case where the are multiple resources sections (more than one main deployment in the chart) */}} - {{- $keys := split "." . -}} - {{/* We iterate through the different levels until arriving to the resource section. Example: a.b.c.resources */}} - {{- $section := $values -}} - {{- range $keys -}} - {{- $section = index $section . -}} - {{- end -}} - {{- if not (index $section "resources") -}} - {{/* If the section has enabled=false or replicaCount=0, do not include it */}} - {{- if and (hasKey $section "enabled") -}} - {{- if index $section "enabled" -}} - {{/* enabled=true */}} - {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} - {{- $printMessage = true -}} - {{- end -}} - {{- else if and (hasKey $section "replicaCount") -}} - {{/* We need a casting to int because number 0 is not treated as an int by default */}} - {{- if (gt (index $section "replicaCount" | int) 0) -}} - {{/* replicaCount > 0 */}} - {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} - {{- $printMessage = true -}} - {{- end -}} - {{- else -}} - {{/* Default case, add it to the affected sections */}} - {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} - {{- $printMessage = true -}} - {{- end -}} - {{- end -}} - {{- end -}} -{{- end -}} -{{- if $printMessage }} - -WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs: -{{- range $affectedSections }} - - {{ . }} -{{- end }} -+info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ -{{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/validations/_cassandra.tpl b/charts/gitea-bitnami/charts/postgresql/charts/common/templates/validations/_cassandra.tpl deleted file mode 100644 index f8fd213..0000000 --- a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/validations/_cassandra.tpl +++ /dev/null @@ -1,51 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Auxiliary function to get the right value for existingSecret. - -Usage: -{{ include "common.cassandra.values.existingSecret" (dict "context" $) }} -Params: - - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false -*/}} -{{- define "common.cassandra.values.existingSecret" -}} - {{- if .subchart -}} - {{- .context.Values.cassandra.dbUser.existingSecret | quote -}} - {{- else -}} - {{- .context.Values.dbUser.existingSecret | quote -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled cassandra. - -Usage: -{{ include "common.cassandra.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.cassandra.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.cassandra.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for the key dbUser - -Usage: -{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false -*/}} -{{- define "common.cassandra.values.key.dbUser" -}} - {{- if .subchart -}} - cassandra.dbUser - {{- else -}} - dbUser - {{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/validations/_mariadb.tpl b/charts/gitea-bitnami/charts/postgresql/charts/common/templates/validations/_mariadb.tpl deleted file mode 100644 index 6ea8c0f..0000000 --- a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/validations/_mariadb.tpl +++ /dev/null @@ -1,108 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Validate MariaDB required passwords are not empty. - -Usage: -{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret" - - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false -*/}} -{{- define "common.validations.values.mariadb.passwords" -}} - {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}} - {{- $enabled := include "common.mariadb.values.enabled" . -}} - {{- $architecture := include "common.mariadb.values.architecture" . -}} - {{- $authPrefix := include "common.mariadb.values.key.auth" . -}} - {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} - {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} - {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} - {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} - - {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} - - {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} - {{- if not (empty $valueUsername) -}} - {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} - {{- end -}} - - {{- if (eq $architecture "replication") -}} - {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for existingSecret. - -Usage: -{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false -*/}} -{{- define "common.mariadb.values.auth.existingSecret" -}} - {{- if .subchart -}} - {{- .context.Values.mariadb.auth.existingSecret | quote -}} - {{- else -}} - {{- .context.Values.auth.existingSecret | quote -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled mariadb. - -Usage: -{{ include "common.mariadb.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.mariadb.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.mariadb.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for architecture - -Usage: -{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false -*/}} -{{- define "common.mariadb.values.architecture" -}} - {{- if .subchart -}} - {{- .context.Values.mariadb.architecture -}} - {{- else -}} - {{- .context.Values.architecture -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for the key auth - -Usage: -{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false -*/}} -{{- define "common.mariadb.values.key.auth" -}} - {{- if .subchart -}} - mariadb.auth - {{- else -}} - auth - {{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/validations/_mongodb.tpl b/charts/gitea-bitnami/charts/postgresql/charts/common/templates/validations/_mongodb.tpl deleted file mode 100644 index e678a6d..0000000 --- a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/validations/_mongodb.tpl +++ /dev/null @@ -1,67 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Auxiliary function to get the right value for existingSecret. - -Usage: -{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false -*/}} -{{- define "common.mongodb.values.auth.existingSecret" -}} - {{- if .subchart -}} - {{- .context.Values.mongodb.auth.existingSecret | quote -}} - {{- else -}} - {{- .context.Values.auth.existingSecret | quote -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled mongodb. - -Usage: -{{ include "common.mongodb.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.mongodb.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.mongodb.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for the key auth - -Usage: -{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false -*/}} -{{- define "common.mongodb.values.key.auth" -}} - {{- if .subchart -}} - mongodb.auth - {{- else -}} - auth - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for architecture - -Usage: -{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false -*/}} -{{- define "common.mongodb.values.architecture" -}} - {{- if .subchart -}} - {{- .context.Values.mongodb.architecture -}} - {{- else -}} - {{- .context.Values.architecture -}} - {{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/validations/_mysql.tpl b/charts/gitea-bitnami/charts/postgresql/charts/common/templates/validations/_mysql.tpl deleted file mode 100644 index fbb65c3..0000000 --- a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/validations/_mysql.tpl +++ /dev/null @@ -1,67 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Auxiliary function to get the right value for existingSecret. - -Usage: -{{ include "common.mysql.values.auth.existingSecret" (dict "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false -*/}} -{{- define "common.mysql.values.auth.existingSecret" -}} - {{- if .subchart -}} - {{- .context.Values.mysql.auth.existingSecret | quote -}} - {{- else -}} - {{- .context.Values.auth.existingSecret | quote -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled mysql. - -Usage: -{{ include "common.mysql.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.mysql.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.mysql.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for architecture - -Usage: -{{ include "common.mysql.values.architecture" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false -*/}} -{{- define "common.mysql.values.architecture" -}} - {{- if .subchart -}} - {{- .context.Values.mysql.architecture -}} - {{- else -}} - {{- .context.Values.architecture -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for the key auth - -Usage: -{{ include "common.mysql.values.key.auth" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false -*/}} -{{- define "common.mysql.values.key.auth" -}} - {{- if .subchart -}} - mysql.auth - {{- else -}} - auth - {{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/validations/_postgresql.tpl b/charts/gitea-bitnami/charts/postgresql/charts/common/templates/validations/_postgresql.tpl deleted file mode 100644 index 51d4716..0000000 --- a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/validations/_postgresql.tpl +++ /dev/null @@ -1,105 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Auxiliary function to decide whether evaluate global values. - -Usage: -{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }} -Params: - - key - String - Required. Field to be evaluated within global, e.g: "existingSecret" -*/}} -{{- define "common.postgresql.values.use.global" -}} - {{- if .context.Values.global -}} - {{- if .context.Values.global.postgresql -}} - {{- index .context.Values.global.postgresql .key | quote -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for existingSecret. - -Usage: -{{ include "common.postgresql.values.existingSecret" (dict "context" $) }} -*/}} -{{- define "common.postgresql.values.existingSecret" -}} - {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}} - - {{- if .subchart -}} - {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}} - {{- else -}} - {{- default (.context.Values.existingSecret | quote) $globalValue -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled postgresql. - -Usage: -{{ include "common.postgresql.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.postgresql.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.postgresql.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for the key postgressPassword. - -Usage: -{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false -*/}} -{{- define "common.postgresql.values.key.postgressPassword" -}} - {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}} - - {{- if not $globalValue -}} - {{- if .subchart -}} - postgresql.postgresqlPassword - {{- else -}} - postgresqlPassword - {{- end -}} - {{- else -}} - global.postgresql.postgresqlPassword - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled.replication. - -Usage: -{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false -*/}} -{{- define "common.postgresql.values.enabled.replication" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.postgresql.replication.enabled -}} - {{- else -}} - {{- printf "%v" .context.Values.replication.enabled -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for the key replication.password. - -Usage: -{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false -*/}} -{{- define "common.postgresql.values.key.replicationPassword" -}} - {{- if .subchart -}} - postgresql.replication.password - {{- else -}} - replication.password - {{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/validations/_redis.tpl b/charts/gitea-bitnami/charts/postgresql/charts/common/templates/validations/_redis.tpl deleted file mode 100644 index 9fedfef..0000000 --- a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/validations/_redis.tpl +++ /dev/null @@ -1,48 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - - -{{/* vim: set filetype=mustache: */}} -{{/* -Auxiliary function to get the right value for enabled redis. - -Usage: -{{ include "common.redis.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.redis.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.redis.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right prefix path for the values - -Usage: -{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false -*/}} -{{- define "common.redis.values.keys.prefix" -}} - {{- if .subchart -}}redis.{{- else -}}{{- end -}} -{{- end -}} - -{{/* -Checks whether the redis chart's includes the standarizations (version >= 14) - -Usage: -{{ include "common.redis.values.standarized.version" (dict "context" $) }} -*/}} -{{- define "common.redis.values.standarized.version" -}} - - {{- $standarizedAuth := printf "%s%s" (include "common.redis.values.keys.prefix" .) "auth" -}} - {{- $standarizedAuthValues := include "common.utils.getValueFromKey" (dict "key" $standarizedAuth "context" .context) }} - - {{- if $standarizedAuthValues -}} - {{- true -}} - {{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/validations/_validations.tpl b/charts/gitea-bitnami/charts/postgresql/charts/common/templates/validations/_validations.tpl deleted file mode 100644 index 7cdee61..0000000 --- a/charts/gitea-bitnami/charts/postgresql/charts/common/templates/validations/_validations.tpl +++ /dev/null @@ -1,51 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Validate values must not be empty. - -Usage: -{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}} -{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}} -{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} - -Validate value params: - - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" - - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" - - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" -*/}} -{{- define "common.validations.values.multiple.empty" -}} - {{- range .required -}} - {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}} - {{- end -}} -{{- end -}} - -{{/* -Validate a value must not be empty. - -Usage: -{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }} - -Validate value params: - - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" - - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" - - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" - - subchart - String - Optional - Name of the subchart that the validated password is part of. -*/}} -{{- define "common.validations.values.single.empty" -}} - {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }} - {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }} - - {{- if not $value -}} - {{- $varname := "my-value" -}} - {{- $getCurrentValue := "" -}} - {{- if and .secret .field -}} - {{- $varname = include "common.utils.fieldToEnvVar" . -}} - {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}} - {{- end -}} - {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}} - {{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/postgresql/charts/common/values.yaml b/charts/gitea-bitnami/charts/postgresql/charts/common/values.yaml deleted file mode 100644 index de2cac5..0000000 --- a/charts/gitea-bitnami/charts/postgresql/charts/common/values.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# Copyright Broadcom, Inc. All Rights Reserved. -# SPDX-License-Identifier: APACHE-2.0 - -## bitnami/common -## It is required by CI/CD tools and processes. -## @skip exampleValue -## -exampleValue: common-chart diff --git a/charts/gitea-bitnami/charts/postgresql/templates/NOTES.txt b/charts/gitea-bitnami/charts/postgresql/templates/NOTES.txt deleted file mode 100644 index 61c5c78..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/NOTES.txt +++ /dev/null @@ -1,121 +0,0 @@ -{{- $releaseNamespace := include "common.names.namespace" . }} -CHART NAME: {{ .Chart.Name }} -CHART VERSION: {{ .Chart.Version }} -APP VERSION: {{ .Chart.AppVersion }} - -Did you know there are enterprise versions of the Bitnami catalog? For enhanced secure software supply chain features, unlimited pulls from Docker, LTS support, or application customization, see Bitnami Premium or Tanzu Application Catalog. See https://www.arrow.com/globalecs/na/vendors/bitnami for more information. - -** Please be patient while the chart is being deployed ** - -{{- if .Values.diagnosticMode.enabled }} -The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with: - - command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }} - -Get the list of pods by executing: - - kubectl get pods --namespace {{ $releaseNamespace }} -l app.kubernetes.io/instance={{ .Release.Name }} - -Access the pod you want to debug by executing - - kubectl exec --namespace {{ $releaseNamespace }} -ti -- /opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash - -In order to replicate the container startup scripts execute this command: - - /opt/bitnami/scripts/postgresql/entrypoint.sh /opt/bitnami/scripts/postgresql/run.sh - -{{- else }} - -{{- $customUser := include "postgresql.v1.username" . }} -{{- $postgresPassword := include "common.secrets.lookup" (dict "secret" (include "common.names.fullname" .) "key" .Values.auth.secretKeys.adminPasswordKey "defaultValue" (ternary .Values.auth.postgresPassword .Values.auth.password (eq $customUser "postgres")) "context" $) -}} -{{- $authEnabled := and (not (or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret)) (or $postgresPassword .Values.auth.enablePostgresUser (and (not (empty $customUser)) (ne $customUser "postgres"))) }} -{{- if not $authEnabled }} - -WARNING: PostgreSQL has been configured without authentication, this is not recommended for production environments. -{{- end }} - -PostgreSQL can be accessed via port {{ include "postgresql.v1.service.port" . }} on the following DNS names from within your cluster: - - {{ include "postgresql.v1.primary.fullname" . }}.{{ $releaseNamespace }}.svc.cluster.local - Read/Write connection - -{{- if eq .Values.architecture "replication" }} - - {{ include "postgresql.v1.readReplica.fullname" . }}.{{ $releaseNamespace }}.svc.cluster.local - Read only connection - -{{- end }} - -{{- if and (not (empty $customUser)) (ne $customUser "postgres") }} -{{- if .Values.auth.enablePostgresUser }} - -To get the password for "postgres" run: - - export POSTGRES_ADMIN_PASSWORD=$(kubectl get secret --namespace {{ $releaseNamespace }} {{ include "postgresql.v1.secretName" . }} -o jsonpath="{.data.{{include "postgresql.v1.adminPasswordKey" .}}}" | base64 -d) -{{- end }} - -To get the password for "{{ $customUser }}" run: - - export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ $releaseNamespace }} {{ include "postgresql.v1.secretName" . }} -o jsonpath="{.data.{{include "postgresql.v1.userPasswordKey" .}}}" | base64 -d) -{{- else }} -{{- if .Values.auth.enablePostgresUser }} - -To get the password for "{{ default "postgres" $customUser }}" run: - - export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ $releaseNamespace }} {{ include "postgresql.v1.secretName" . }} -o jsonpath="{.data.{{ ternary "password" (include "postgresql.v1.adminPasswordKey" .) (and (not (empty $customUser)) (ne $customUser "postgres")) }}}" | base64 -d) -{{- end }} -{{- end }} - -To connect to your database run the following command: - {{- if $authEnabled }} - - kubectl run {{ include "common.names.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ $releaseNamespace }} --image {{ include "postgresql.v1.image" . }} --env="PGPASSWORD=$POSTGRES_PASSWORD" \ - --command -- psql --host {{ include "postgresql.v1.primary.fullname" . }} -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.v1.service.port" . }} - {{- else }} - - kubectl run {{ include "common.names.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ $releaseNamespace }} --image {{ include "postgresql.v1.image" . }} \ - --command -- psql --host {{ include "postgresql.v1.primary.fullname" . }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.v1.service.port" . }} - {{- end }} - - > NOTE: If you access the container using bash, make sure that you execute "/opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash" in order to avoid the error "psql: local user with ID {{ .Values.primary.containerSecurityContext.runAsUser }}} does not exist" - -To connect to your database from outside the cluster execute the following commands: - -{{- if contains "NodePort" .Values.primary.service.type }} - - export NODE_IP=$(kubectl get nodes --namespace {{ $releaseNamespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - export NODE_PORT=$(kubectl get --namespace {{ $releaseNamespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "postgresql.v1.primary.fullname" . }}) - {{- if $authEnabled }} - PGPASSWORD="$POSTGRES_PASSWORD" psql --host $NODE_IP --port $NODE_PORT -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} - {{- else }} - psql --host $NODE_IP --port $NODE_PORT -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} - {{- end }} -{{- else if contains "LoadBalancer" .Values.primary.service.type }} - - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - Watch the status with: 'kubectl get svc --namespace {{ $releaseNamespace }} -w {{ include "postgresql.v1.primary.fullname" . }}' - - export SERVICE_IP=$(kubectl get svc --namespace {{ $releaseNamespace }} {{ include "postgresql.v1.primary.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") - {{- if $authEnabled }} - PGPASSWORD="$POSTGRES_PASSWORD" psql --host $SERVICE_IP --port {{ include "postgresql.v1.service.port" . }} -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} - {{- else }} - psql --host $SERVICE_IP --port {{ include "postgresql.v1.service.port" . }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} - {{- end }} -{{- else if contains "ClusterIP" .Values.primary.service.type }} - - kubectl port-forward --namespace {{ $releaseNamespace }} svc/{{ include "postgresql.v1.primary.fullname" . }} {{ include "postgresql.v1.service.port" . }}:{{ include "postgresql.v1.service.port" . }} & - {{- if $authEnabled }} - PGPASSWORD="$POSTGRES_PASSWORD" psql --host 127.0.0.1 -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.v1.service.port" . }} - {{- else }} - psql --host 127.0.0.1 -d {{- if include "postgresql.v1.database" . }} {{ include "postgresql.v1.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.v1.service.port" . }} - {{- end }} -{{- end }} -{{- end }} - -WARNING: The configured password will be ignored on new installation in case when previous PostgreSQL release was deleted through the helm command. In that case, old PVC will have an old password, and setting it through helm won't take effect. Deleting persistent volumes (PVs) will solve the issue. - -{{- include "postgresql.v1.validateValues" . -}} -{{- include "common.warnings.rollingTag" .Values.image -}} -{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} -{{- include "common.warnings.resources" (dict "sections" (list "metrics" "primary" "readReplicas" "volumePermissions") "context" $) }} -{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.volumePermissions.image .Values.metrics.image) "context" $) }} -{{- include "common.errors.insecureImages" (dict "images" (list .Values.image .Values.volumePermissions.image .Values.metrics.image) "context" $) }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/_helpers.tpl b/charts/gitea-bitnami/charts/postgresql/templates/_helpers.tpl deleted file mode 100644 index ad738eb..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/_helpers.tpl +++ /dev/null @@ -1,455 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} - -{{/* -Create a default fully qualified app name for PostgreSQL Primary objects -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "postgresql.v1.primary.fullname" -}} -{{- if eq .Values.architecture "replication" -}} - {{- printf "%s-%s" (include "common.names.fullname" .) .Values.primary.name | trunc 63 | trimSuffix "-" -}} -{{- else -}} - {{- include "common.names.fullname" . -}} -{{- end -}} -{{- end -}} - -{{/* -Create a default fully qualified app name for PostgreSQL read-only replicas objects -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "postgresql.v1.readReplica.fullname" -}} -{{- printf "%s-%s" (include "common.names.fullname" .) .Values.readReplicas.name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create the default FQDN for PostgreSQL primary headless service -We truncate at 63 chars because of the DNS naming spec. -*/}} -{{- define "postgresql.v1.primary.svc.headless" -}} -{{- printf "%s-hl" (include "postgresql.v1.primary.fullname" .) | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create the default FQDN for PostgreSQL read-only replicas headless service -We truncate at 63 chars because of the DNS naming spec. -*/}} -{{- define "postgresql.v1.readReplica.svc.headless" -}} -{{- printf "%s-hl" (include "postgresql.v1.readReplica.fullname" .) | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Return the proper PostgreSQL image name -*/}} -{{- define "postgresql.v1.image" -}} -{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} -{{- end -}} - -{{/* -Return the proper PostgreSQL metrics image name -*/}} -{{- define "postgresql.v1.metrics.image" -}} -{{ include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) }} -{{- end -}} - -{{/* -Return the proper image name (for the init container volume-permissions image) -*/}} -{{- define "postgresql.v1.volumePermissions.image" -}} -{{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }} -{{- end -}} - -{{/* -Return the proper Docker Image Registry Secret Names -*/}} -{{- define "postgresql.v1.imagePullSecrets" -}} -{{ include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image) "context" $) }} -{{- end -}} - -{{/* -Return the name for a custom user to create -*/}} -{{- define "postgresql.v1.username" -}} -{{- if .Values.global.postgresql.auth.username -}} - {{- .Values.global.postgresql.auth.username -}} -{{- else -}} - {{- .Values.auth.username -}} -{{- end -}} -{{- end -}} - -{{/* -Return the name for a custom database to create -*/}} -{{- define "postgresql.v1.database" -}} -{{- if .Values.global.postgresql.auth.database -}} - {{- printf "%s" (tpl .Values.global.postgresql.auth.database $) -}} -{{- else if .Values.auth.database -}} - {{- printf "%s" (tpl .Values.auth.database $) -}} -{{- end -}} -{{- end -}} - -{{/* -Get the password secret. -*/}} -{{- define "postgresql.v1.secretName" -}} -{{- if .Values.global.postgresql.auth.existingSecret -}} - {{- printf "%s" (tpl .Values.global.postgresql.auth.existingSecret $) -}} -{{- else if .Values.auth.existingSecret -}} - {{- printf "%s" (tpl .Values.auth.existingSecret $) -}} -{{- else -}} - {{- printf "%s" (include "common.names.fullname" .) -}} -{{- end -}} -{{- end -}} - -{{/* -Get the replication-password key. -*/}} -{{- define "postgresql.v1.replicationPasswordKey" -}} -{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret -}} - {{- if .Values.global.postgresql.auth.secretKeys.replicationPasswordKey -}} - {{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.replicationPasswordKey $) -}} - {{- else if .Values.auth.secretKeys.replicationPasswordKey -}} - {{- printf "%s" (tpl .Values.auth.secretKeys.replicationPasswordKey $) -}} - {{- else -}} - {{- "replication-password" -}} - {{- end -}} -{{- else -}} - {{- "replication-password" -}} -{{- end -}} -{{- end -}} - -{{/* -Get the admin-password key. -*/}} -{{- define "postgresql.v1.adminPasswordKey" -}} -{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret -}} - {{- if .Values.global.postgresql.auth.secretKeys.adminPasswordKey -}} - {{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.adminPasswordKey $) -}} - {{- else if .Values.auth.secretKeys.adminPasswordKey -}} - {{- printf "%s" (tpl .Values.auth.secretKeys.adminPasswordKey $) -}} - {{- end -}} -{{- else -}} - {{- "postgres-password" -}} -{{- end -}} -{{- end -}} - -{{/* -Get the user-password key. -*/}} -{{- define "postgresql.v1.userPasswordKey" -}} -{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret -}} - {{- if or (empty (include "postgresql.v1.username" .)) (eq (include "postgresql.v1.username" .) "postgres") -}} - {{- printf "%s" (include "postgresql.v1.adminPasswordKey" .) -}} - {{- else -}} - {{- if .Values.global.postgresql.auth.secretKeys.userPasswordKey -}} - {{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.userPasswordKey $) -}} - {{- else if .Values.auth.secretKeys.userPasswordKey -}} - {{- printf "%s" (tpl .Values.auth.secretKeys.userPasswordKey $) -}} - {{- end -}} - {{- end -}} -{{- else -}} - {{- "password" -}} -{{- end -}} -{{- end -}} - -{{/* -Return true if a secret object should be created -*/}} -{{- define "postgresql.v1.createSecret" -}} -{{- $customUser := include "postgresql.v1.username" . -}} -{{- $postgresPassword := include "common.secrets.lookup" (dict "secret" (include "common.names.fullname" .) "key" .Values.auth.secretKeys.adminPasswordKey "defaultValue" (ternary (coalesce .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword .Values.global.postgresql.auth.password .Values.auth.password) (coalesce .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (or (empty $customUser) (eq $customUser "postgres"))) "context" $) -}} -{{- if and (not (or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret)) (or $postgresPassword .Values.auth.enablePostgresUser (and (not (empty $customUser)) (ne $customUser "postgres")) (eq .Values.architecture "replication") (and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw))) -}} - {{- true -}} -{{- end -}} -{{- end -}} - -{{/* -Return true if a secret object should be created for PostgreSQL -*/}} -{{- define "postgresql.v1.createPreviousSecret" -}} -{{- if and .Values.passwordUpdateJob.previousPasswords.postgresPassword (not .Values.passwordUpdateJob.previousPasswords.existingSecret) }} - {{- true -}} -{{- end -}} -{{- end -}} - -{{/* -Return the secret with previous PostgreSQL credentials -*/}} -{{- define "postgresql.v1.update-job.previousSecretName" -}} - {{- if .Values.passwordUpdateJob.previousPasswords.existingSecret -}} - {{- /* The secret with the new password is managed externally */ -}} - {{- tpl .Values.passwordUpdateJob.previousPasswords.existingSecret $ -}} - {{- else if .Values.passwordUpdateJob.previousPasswords.postgresPassword -}} - {{- /* The secret with the new password is managed externally */ -}} - {{- printf "%s-previous-secret" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}} - {{- else -}} - {{- /* The secret with the new password is managed by the helm chart. We use the current secret name as it has the old password */ -}} - {{- include "common.names.fullname" . -}} - {{- end -}} -{{- end -}} - -{{/* -Return the secret with new PostgreSQL credentials -*/}} -{{- define "postgresql.v1.update-job.newSecretName" -}} - {{- if and (not .Values.passwordUpdateJob.previousPasswords.existingSecret) (not .Values.passwordUpdateJob.previousPasswords.postgresPassword) -}} - {{- /* The secret with the new password is managed by the helm chart. We create a new secret as the current one has the old password */ -}} - {{- printf "%s-new-secret" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}} - {{- else -}} - {{- /* The secret with the new password is managed externally */ -}} - {{- include "postgresql.v1.secretName" . -}} - {{- end -}} -{{- end -}} - -{{/* -Return PostgreSQL service port -*/}} -{{- define "postgresql.v1.service.port" -}} -{{- if .Values.global.postgresql.service.ports.postgresql -}} - {{- .Values.global.postgresql.service.ports.postgresql -}} -{{- else -}} - {{- .Values.primary.service.ports.postgresql -}} -{{- end -}} -{{- end -}} - -{{/* -Return PostgreSQL service port -*/}} -{{- define "postgresql.v1.readReplica.service.port" -}} -{{- if .Values.global.postgresql.service.ports.postgresql -}} - {{- .Values.global.postgresql.service.ports.postgresql -}} -{{- else -}} - {{- .Values.readReplicas.service.ports.postgresql -}} -{{- end -}} -{{- end -}} - -{{/* -Get the PostgreSQL primary configuration ConfigMap name. -*/}} -{{- define "postgresql.v1.primary.configmapName" -}} -{{- if .Values.primary.existingConfigmap -}} - {{- printf "%s" (tpl .Values.primary.existingConfigmap $) -}} -{{- else -}} - {{- printf "%s-configuration" (include "postgresql.v1.primary.fullname" .) -}} -{{- end -}} -{{- end -}} - -{{/* -Return true if a configmap object should be created for PostgreSQL primary with the configuration -*/}} -{{- define "postgresql.v1.primary.createConfigmap" -}} -{{- if and (or .Values.primary.configuration .Values.primary.pgHbaConfiguration) (not .Values.primary.existingConfigmap) -}} - {{- true -}} -{{- else -}} -{{- end -}} -{{- end -}} - -{{/* -Get the PostgreSQL primary extended configuration ConfigMap name. -*/}} -{{- define "postgresql.v1.primary.extendedConfigmapName" -}} -{{- if .Values.primary.existingExtendedConfigmap -}} - {{- printf "%s" (tpl .Values.primary.existingExtendedConfigmap $) -}} -{{- else -}} - {{- printf "%s-extended-configuration" (include "postgresql.v1.primary.fullname" .) -}} -{{- end -}} -{{- end -}} - -{{/* -Get the PostgreSQL read replica extended configuration ConfigMap name. -*/}} -{{- define "postgresql.v1.readReplicas.extendedConfigmapName" -}} - {{- printf "%s-extended-configuration" (include "postgresql.v1.readReplica.fullname" .) -}} -{{- end -}} - -{{/* -Return true if a configmap object should be created for PostgreSQL primary with the extended configuration -*/}} -{{- define "postgresql.v1.primary.createExtendedConfigmap" -}} -{{- if and .Values.primary.extendedConfiguration (not .Values.primary.existingExtendedConfigmap) -}} - {{- true -}} -{{- else -}} -{{- end -}} -{{- end -}} - -{{/* -Return true if a configmap object should be created for PostgreSQL read replica with the extended configuration -*/}} -{{- define "postgresql.v1.readReplicas.createExtendedConfigmap" -}} -{{- if .Values.readReplicas.extendedConfiguration -}} - {{- true -}} -{{- else -}} -{{- end -}} -{{- end -}} - -{{/* - Create the name of the service account to use - */}} -{{- define "postgresql.v1.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "common.names.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} - -{{/* -Return true if a configmap should be mounted with PostgreSQL configuration -*/}} -{{- define "postgresql.v1.mountConfigurationCM" -}} -{{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap -}} - {{- true -}} -{{- end -}} -{{- end -}} - -{{/* -Get the pre-initialization scripts ConfigMap name. -*/}} -{{- define "postgresql.v1.preInitDb.scriptsCM" -}} -{{- if .Values.primary.preInitDb.scriptsConfigMap -}} - {{- printf "%s" (tpl .Values.primary.preInitDb.scriptsConfigMap $) -}} -{{- else -}} - {{- printf "%s-preinit-scripts" (include "postgresql.v1.primary.fullname" .) -}} -{{- end -}} -{{- end -}} - -{{/* -Get the initialization scripts ConfigMap name. -*/}} -{{- define "postgresql.v1.initdb.scriptsCM" -}} -{{- if .Values.primary.initdb.scriptsConfigMap -}} - {{- printf "%s" (tpl .Values.primary.initdb.scriptsConfigMap $) -}} -{{- else -}} - {{- printf "%s-init-scripts" (include "postgresql.v1.primary.fullname" .) -}} -{{- end -}} -{{- end -}} - -{{/* -Return true if TLS is enabled for LDAP connection -*/}} -{{- define "postgresql.v1.ldap.tls.enabled" -}} -{{- if and (kindIs "string" .Values.ldap.tls) (not (empty .Values.ldap.tls)) -}} - {{- true -}} -{{- else if and (kindIs "map" .Values.ldap.tls) .Values.ldap.tls.enabled -}} - {{- true -}} -{{- end -}} -{{- end -}} - -{{/* -Get the readiness probe command -*/}} -{{- define "postgresql.v1.readinessProbeCommand" -}} -{{- $customUser := include "postgresql.v1.username" . -}} -- | -{{- if (include "postgresql.v1.database" .) }} - exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if .Values.tls.enabled }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} -{{- else }} - exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if .Values.tls.enabled }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} -{{- end }} -{{- if contains "bitnami/" .Values.image.repository }} - [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ] -{{- end }} -{{- end -}} - -{{/* -Compile all warnings into a single message, and call fail. -*/}} -{{- define "postgresql.v1.validateValues" -}} -{{- $messages := list -}} -{{- $messages := append $messages (include "postgresql.v1.validateValues.ldapConfigurationMethod" .) -}} -{{- $messages := append $messages (include "postgresql.v1.validateValues.psp" .) -}} -{{- $messages := without $messages "" -}} -{{- $message := join "\n" $messages -}} - -{{- if $message -}} -{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}} -{{- end -}} -{{- end -}} - -{{/* -Validate values of Postgresql - If ldap.url is used then you don't need the other settings for ldap -*/}} -{{- define "postgresql.v1.validateValues.ldapConfigurationMethod" -}} -{{- if and .Values.ldap.enabled (and (not (empty .Values.ldap.url)) (not (empty .Values.ldap.server))) -}} -postgresql: ldap.url, ldap.server - You cannot set both `ldap.url` and `ldap.server` at the same time. - Please provide a unique way to configure LDAP. - More info at https://www.postgresql.org/docs/current/auth-ldap.html -{{- end -}} -{{- end -}} - -{{/* -Validate values of Postgresql - If PSP is enabled RBAC should be enabled too -*/}} -{{- define "postgresql.v1.validateValues.psp" -}} -{{- if and .Values.psp.create (not .Values.rbac.create) -}} -postgresql: psp.create, rbac.create - RBAC should be enabled if PSP is enabled in order for PSP to work. - More info at https://kubernetes.io/docs/concepts/policy/pod-security-policy/#authorizing-policies -{{- end -}} -{{- end -}} - -{{/* -Return the path to the cert file. -*/}} -{{- define "postgresql.v1.tlsCert" -}} -{{- if .Values.tls.autoGenerated -}} - {{- printf "/opt/bitnami/postgresql/certs/tls.crt" -}} -{{- else -}} - {{- required "Certificate filename is required when TLS in enabled" .Values.tls.certFilename | printf "/opt/bitnami/postgresql/certs/%s" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the path to the cert key file. -*/}} -{{- define "postgresql.v1.tlsCertKey" -}} -{{- if .Values.tls.autoGenerated -}} - {{- printf "/opt/bitnami/postgresql/certs/tls.key" -}} -{{- else -}} -{{- required "Certificate Key filename is required when TLS in enabled" .Values.tls.certKeyFilename | printf "/opt/bitnami/postgresql/certs/%s" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the path to the CA cert file. -*/}} -{{- define "postgresql.v1.tlsCACert" -}} -{{- if .Values.tls.autoGenerated -}} - {{- printf "/opt/bitnami/postgresql/certs/ca.crt" -}} -{{- else -}} - {{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.certCAFilename -}} -{{- end -}} -{{- end -}} - -{{/* -Return the path to the CRL file. -*/}} -{{- define "postgresql.v1.tlsCRL" -}} -{{- if .Values.tls.crlFilename -}} -{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.crlFilename -}} -{{- end -}} -{{- end -}} - -{{/* -Return true if a TLS credentials secret object should be created -*/}} -{{- define "postgresql.v1.createTlsSecret" -}} -{{- if and .Values.tls.autoGenerated (not .Values.tls.certificatesSecret) -}} - {{- true -}} -{{- end -}} -{{- end -}} - -{{/* -Return the path to the CA cert file. -*/}} -{{- define "postgresql.v1.tlsSecretName" -}} -{{- if .Values.tls.autoGenerated -}} - {{- printf "%s-crt" (include "common.names.fullname" .) -}} -{{- else -}} - {{ tpl (required "A secret containing TLS certificates is required when TLS is enabled" .Values.tls.certificatesSecret) . }} -{{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/backup/cronjob.yaml b/charts/gitea-bitnami/charts/postgresql/templates/backup/cronjob.yaml deleted file mode 100644 index c5fd9f7..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/backup/cronjob.yaml +++ /dev/null @@ -1,138 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if .Values.backup.enabled }} -{{- $customUser := include "postgresql.v1.username" . }} -apiVersion: batch/v1 -kind: CronJob -metadata: - name: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall - namespace: {{ include "common.names.namespace" . | quote }} - {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.labels .Values.commonLabels ) "context" . ) }} - labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: pg_dumpall - {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.annotations .Values.commonAnnotations ) "context" . ) }} - {{- if $annotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} - {{- end }} -spec: - schedule: {{ quote .Values.backup.cronjob.schedule }} - {{- if .Values.backup.cronjob.timezone }} - timeZone: {{ .Values.backup.cronjob.timezone | quote }} - {{- end }} - concurrencyPolicy: {{ .Values.backup.cronjob.concurrencyPolicy }} - failedJobsHistoryLimit: {{ .Values.backup.cronjob.failedJobsHistoryLimit }} - successfulJobsHistoryLimit: {{ .Values.backup.cronjob.successfulJobsHistoryLimit }} - {{- if .Values.backup.cronjob.startingDeadlineSeconds }} - startingDeadlineSeconds: {{ .Values.backup.cronjob.startingDeadlineSeconds }} - {{- end }} - jobTemplate: - spec: - {{- if .Values.backup.cronjob.ttlSecondsAfterFinished }} - ttlSecondsAfterFinished: {{ .Values.backup.cronjob.ttlSecondsAfterFinished }} - {{- end }} - template: - metadata: - labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 12 }} - app.kubernetes.io/component: pg_dumpall - {{- if $annotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 12 }} - {{- end }} - spec: - {{- include "postgresql.v1.imagePullSecrets" . | nindent 10 }} - {{- if .Values.backup.cronjob.nodeSelector }} - nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.nodeSelector "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.backup.cronjob.tolerations }} - tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.tolerations "context" $) | nindent 12 }} - {{- end }} - containers: - - name: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall - image: {{ include "postgresql.v1.image" . }} - imagePullPolicy: {{ .Values.image.pullPolicy | quote }} - env: - - name: PGUSER - {{- if .Values.auth.enablePostgresUser }} - value: postgres - {{- else }} - value: {{ $customUser | quote }} - {{- end }} - {{- if .Values.auth.usePasswordFiles }} - - name: PGPASSFILE - value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }} - {{- else }} - - name: PGPASSWORD - valueFrom: - secretKeyRef: - name: {{ include "postgresql.v1.secretName" . }} - key: {{ include "postgresql.v1.adminPasswordKey" . }} - {{- end }} - - name: PGHOST - value: {{ include "postgresql.v1.primary.fullname" . }} - - name: PGPORT - value: {{ include "postgresql.v1.service.port" . | quote }} - - name: PGDUMP_DIR - value: {{ .Values.backup.cronjob.storage.mountPath }} - {{- if .Values.tls.enabled }} - - name: PGSSLROOTCERT - {{- if .Values.tls.autoGenerated }} - value: /tmp/certs/ca.crt - {{- else }} - value: {{ printf "/tmp/certs/%s" .Values.tls.certCAFilename }} - {{- end }} - {{- end }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.command "context" $) | nindent 14 }} - volumeMounts: - {{- if .Values.tls.enabled }} - - name: raw-certificates - mountPath: /tmp/certs - {{- end }} - {{- if .Values.backup.cronjob.storage.enabled }} - - name: datadir - mountPath: {{ .Values.backup.cronjob.storage.mountPath }} - subPath: {{ .Values.backup.cronjob.storage.subPath }} - {{- end }} - - name: empty-dir - mountPath: /tmp - subPath: tmp-dir - {{- if .Values.backup.cronjob.extraVolumeMounts }} - {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.extraVolumeMounts "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.backup.cronjob.containerSecurityContext.enabled }} - securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.backup.cronjob.containerSecurityContext "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.backup.cronjob.resources }} - resources: {{- toYaml .Values.backup.cronjob.resources | nindent 14 }} - {{- else if ne .Values.backup.cronjob.resourcesPreset "none" }} - resources: {{- include "common.resources.preset" (dict "type" .Values.backup.cronjob.resourcesPreset) | nindent 14 }} - {{- end }} - restartPolicy: {{ .Values.backup.cronjob.restartPolicy }} - {{- if .Values.backup.cronjob.podSecurityContext.enabled }} - securityContext: - fsGroup: {{ .Values.backup.cronjob.podSecurityContext.fsGroup }} - {{- end }} - volumes: - {{- if .Values.tls.enabled }} - - name: raw-certificates - secret: - secretName: {{ include "postgresql.v1.tlsSecretName" . }} - {{- end }} - {{- if .Values.backup.cronjob.storage.enabled }} - {{- if .Values.backup.cronjob.storage.existingClaim }} - - name: datadir - persistentVolumeClaim: - claimName: {{ printf "%s" (tpl .Values.backup.cronjob.storage.existingClaim .) }} - {{- else }} - - name: datadir - persistentVolumeClaim: - claimName: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall - {{- end }} - {{- end }} - - name: empty-dir - emptyDir: {} - {{- if .Values.backup.cronjob.extraVolumes }} - {{- include "common.tplvalues.render" ( dict "value" .Values.backup.cronjob.extraVolumes "context" $ ) | nindent 12 }} - {{- end }} -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/backup/networkpolicy.yaml b/charts/gitea-bitnami/charts/postgresql/templates/backup/networkpolicy.yaml deleted file mode 100644 index 21e1add..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/backup/networkpolicy.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.backup.enabled .Values.backup.cronjob.networkPolicy.enabled }} -kind: NetworkPolicy -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -metadata: - name: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: pg_dumpall - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.podLabels .Values.commonLabels ) "context" . ) }} - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} - app.kubernetes.io/component: pg_dumpall - policyTypes: - - Egress - egress: - - ports: - - port: 5432 - protocol: TCP - - port: 53 - protocol: TCP - - port: 53 - protocol: UDP -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/backup/pvc.yaml b/charts/gitea-bitnami/charts/postgresql/templates/backup/pvc.yaml deleted file mode 100644 index 674ac3d..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/backup/pvc.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.backup.enabled .Values.backup.cronjob.storage.enabled (not .Values.backup.cronjob.storage.existingClaim) -}} -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall - namespace: {{ include "common.names.namespace" . | quote }} - {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.labels .Values.commonLabels ) "context" . ) }} - labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: pg_dumpall - {{- if or .Values.backup.cronjob.annotations .Values.commonAnnotations .Values.backup.cronjob.storage.resourcePolicy }} - annotations: - {{- if or .Values.backup.cronjob.annotations .Values.commonAnnotations }} - {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.annotations .Values.commonAnnotations ) "context" . ) }} - {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.backup.cronjob.storage.resourcePolicy }} - helm.sh/resource-policy: {{ .Values.backup.cronjob.storage.resourcePolicy | quote }} - {{- end }} - {{- end }} -spec: - accessModes: - {{- range .Values.backup.cronjob.storage.accessModes }} - - {{ . | quote }} - {{- end }} - resources: - requests: - storage: {{ .Values.backup.cronjob.storage.size | quote }} - {{ include "common.storage.class" (dict "persistence" .Values.backup.cronjob.storage "global" .Values.global) }} -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/extra-list.yaml b/charts/gitea-bitnami/charts/postgresql/templates/extra-list.yaml deleted file mode 100644 index 329f5c6..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/extra-list.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- range .Values.extraDeploy }} ---- -{{ include "common.tplvalues.render" (dict "value" . "context" $) }} -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/primary/configmap.yaml b/charts/gitea-bitnami/charts/postgresql/templates/primary/configmap.yaml deleted file mode 100644 index ad231e5..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/primary/configmap.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if (include "postgresql.v1.primary.createConfigmap" .) }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ printf "%s-configuration" (include "postgresql.v1.primary.fullname" .) }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: primary - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -data: - {{- if .Values.primary.configuration }} - postgresql.conf: | - {{- include "common.tplvalues.render" ( dict "value" .Values.primary.configuration "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.primary.pgHbaConfiguration }} - pg_hba.conf: | - {{- include "common.tplvalues.render" ( dict "value" .Values.primary.pgHbaConfiguration "context" $ ) | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/primary/extended-configmap.yaml b/charts/gitea-bitnami/charts/postgresql/templates/primary/extended-configmap.yaml deleted file mode 100644 index 2d228e4..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/primary/extended-configmap.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if (include "postgresql.v1.primary.createExtendedConfigmap" .) }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ printf "%s-extended-configuration" (include "postgresql.v1.primary.fullname" .) }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: primary - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -data: - override.conf: |- - {{- include "common.tplvalues.render" ( dict "value" .Values.primary.extendedConfiguration "context" $ ) | nindent 4 }} -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/primary/initialization-configmap.yaml b/charts/gitea-bitnami/charts/postgresql/templates/primary/initialization-configmap.yaml deleted file mode 100644 index 450812a..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/primary/initialization-configmap.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.primary.initdb.scripts (not .Values.primary.initdb.scriptsConfigMap) }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ printf "%s-init-scripts" (include "postgresql.v1.primary.fullname" .) }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -data: {{- include "common.tplvalues.render" (dict "value" .Values.primary.initdb.scripts "context" .) | nindent 2 }} -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/primary/metrics-configmap.yaml b/charts/gitea-bitnami/charts/postgresql/templates/primary/metrics-configmap.yaml deleted file mode 100644 index 9bf889a..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/primary/metrics-configmap.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ printf "%s-metrics" (include "postgresql.v1.primary.fullname" .) }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -data: - custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }} -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/primary/metrics-svc.yaml b/charts/gitea-bitnami/charts/postgresql/templates/primary/metrics-svc.yaml deleted file mode 100644 index 2e77c5b..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/primary/metrics-svc.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if .Values.metrics.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ printf "%s-metrics" (include "postgresql.v1.primary.fullname" .) }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: metrics - {{- if or .Values.commonAnnotations .Values.metrics.service.annotations }} - {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.service.annotations .Values.commonAnnotations ) "context" . ) }} - annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} - {{- end }} -spec: - type: ClusterIP - sessionAffinity: {{ .Values.metrics.service.sessionAffinity }} - {{- if .Values.metrics.service.clusterIP }} - clusterIP: {{ .Values.metrics.service.clusterIP }} - {{- end }} - ports: - - name: http-metrics - port: {{ .Values.metrics.service.ports.metrics }} - targetPort: http-metrics - {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }} - selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: primary -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/primary/networkpolicy.yaml b/charts/gitea-bitnami/charts/postgresql/templates/primary/networkpolicy.yaml deleted file mode 100644 index 6e5e28f..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/primary/networkpolicy.yaml +++ /dev/null @@ -1,78 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if .Values.primary.networkPolicy.enabled }} -kind: NetworkPolicy -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -metadata: - name: {{ include "postgresql.v1.primary.fullname" . }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: primary - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }} - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} - app.kubernetes.io/component: primary - policyTypes: - - Ingress - - Egress - {{- if .Values.primary.networkPolicy.allowExternalEgress }} - egress: - - {} - {{- else }} - egress: - # Allow dns resolution - - ports: - - port: 53 - protocol: UDP - - port: 53 - protocol: TCP - # Allow outbound connections to read-replicas - - ports: - - port: {{ .Values.containerPorts.postgresql }} - to: - - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} - app.kubernetes.io/component: read - {{- if .Values.primary.networkPolicy.extraEgress }} - {{- include "common.tplvalues.render" ( dict "value" .Values.primary.networkPolicy.extraEgress "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} - ingress: - - ports: - - port: {{ .Values.containerPorts.postgresql }} - {{- if .Values.metrics.enabled }} - - port: {{ .Values.metrics.containerPorts.metrics }} - {{- end }} - {{- if not .Values.primary.networkPolicy.allowExternal }} - from: - - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} - - podSelector: - matchLabels: - {{ template "postgresql.v1.primary.fullname" . }}-client: "true" - {{- if .Values.primary.networkPolicy.ingressNSMatchLabels }} - - namespaceSelector: - matchLabels: - {{- range $key, $value := .Values.primary.networkPolicy.ingressNSMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} - {{- if .Values.primary.networkPolicy.ingressNSPodMatchLabels }} - podSelector: - matchLabels: - {{- range $key, $value := .Values.primary.networkPolicy.ingressNSPodMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.primary.networkPolicy.extraIngress }} - {{- include "common.tplvalues.render" ( dict "value" .Values.primary.networkPolicy.extraIngress "context" $ ) | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/primary/pdb.yaml b/charts/gitea-bitnami/charts/postgresql/templates/primary/pdb.yaml deleted file mode 100644 index a03fb20..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/primary/pdb.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if .Values.primary.pdb.create }} -apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} -kind: PodDisruptionBudget -metadata: - name: {{ include "postgresql.v1.primary.fullname" . }} - namespace: {{ include "common.names.namespace" . | quote }} - {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.labels .Values.commonLabels ) "context" . ) }} - labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: primary - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- if .Values.primary.pdb.minAvailable }} - minAvailable: {{ .Values.primary.pdb.minAvailable }} - {{- end }} - {{- if or .Values.primary.pdb.maxUnavailable ( not .Values.primary.pdb.minAvailable ) }} - maxUnavailable: {{ .Values.primary.pdb.maxUnavailable | default 1 }} - {{- end }} - {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }} - selector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} - app.kubernetes.io/component: primary -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/primary/preinitialization-configmap.yaml b/charts/gitea-bitnami/charts/postgresql/templates/primary/preinitialization-configmap.yaml deleted file mode 100644 index ae6d188..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/primary/preinitialization-configmap.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.primary.preInitDb.scripts (not .Values.primary.preInitDb.scriptsConfigMap) }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ printf "%s-preinit-scripts" (include "postgresql.v1.primary.fullname" .) }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -data: {{- include "common.tplvalues.render" (dict "value" .Values.primary.preInitDb.scripts "context" .) | nindent 2 }} -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/primary/servicemonitor.yaml b/charts/gitea-bitnami/charts/postgresql/templates/primary/servicemonitor.yaml deleted file mode 100644 index b17d7f5..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/primary/servicemonitor.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "postgresql.v1.primary.fullname" . }} - namespace: {{ coalesce .Values.metrics.serviceMonitor.namespace (include "common.names.namespace" .) | quote }} - {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }} - labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: metrics - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- if .Values.metrics.serviceMonitor.jobLabel }} - jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }} - {{- end }} - selector: - {{- $svcLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.selector .Values.commonLabels ) "context" . ) }} - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $svcLabels "context" $ ) | nindent 6 }} - app.kubernetes.io/component: metrics - endpoints: - - port: http-metrics - {{- if .Values.metrics.serviceMonitor.interval }} - interval: {{ .Values.metrics.serviceMonitor.interval }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} - scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.relabelings }} - relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 6 }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.metricRelabelings }} - metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 6 }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.honorLabels }} - honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} - {{- end }} - namespaceSelector: - matchNames: - - {{ include "common.names.namespace" . | quote }} -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/primary/statefulset.yaml b/charts/gitea-bitnami/charts/postgresql/templates/primary/statefulset.yaml deleted file mode 100644 index d45d617..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/primary/statefulset.yaml +++ /dev/null @@ -1,705 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- $customUser := include "postgresql.v1.username" . }} -apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} -kind: StatefulSet -metadata: - name: {{ include "postgresql.v1.primary.fullname" . }} - namespace: {{ include "common.names.namespace" . | quote }} - {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.labels .Values.commonLabels ) "context" . ) }} - labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: primary - {{- if or .Values.commonAnnotations .Values.primary.annotations }} - {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.annotations .Values.commonAnnotations ) "context" . ) }} - annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} - {{- end }} -spec: - replicas: 1 - serviceName: {{ include "postgresql.v1.primary.svc.headless" . }} - {{- if .Values.primary.updateStrategy }} - updateStrategy: {{- toYaml .Values.primary.updateStrategy | nindent 4 }} - {{- end }} - {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }} - selector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} - app.kubernetes.io/component: primary - template: - metadata: - name: {{ include "postgresql.v1.primary.fullname" . }} - labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} - app.kubernetes.io/component: primary - {{- if or .Values.passwordUpdateJob.enabled (include "postgresql.v1.primary.createConfigmap" .) (include "postgresql.v1.primary.createExtendedConfigmap" .) .Values.primary.podAnnotations }} - annotations: - {{- if (include "postgresql.v1.primary.createConfigmap" .) }} - checksum/configuration: {{ pick (include (print $.Template.BasePath "/primary/configmap.yaml") . | fromYaml) "data" | toYaml | sha256sum }} - {{- end }} - {{- if (include "postgresql.v1.primary.createExtendedConfigmap" .) }} - checksum/extended-configuration: {{ pick (include (print $.Template.BasePath "/primary/extended-configmap.yaml") . | fromYaml) "data" | toYaml | sha256sum }} - {{- end }} - {{- if .Values.passwordUpdateJob.enabled }} - charts.bitnami.com/password-last-update: {{ now | date "20060102150405" | quote }} - {{- end }} - {{- if .Values.primary.podAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.primary.podAnnotations "context" $ ) | nindent 8 }} - {{- end }} - {{- end }} - spec: - {{- if .Values.primary.extraPodSpec }} - {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraPodSpec "context" $) | nindent 6 }} - {{- end }} - serviceAccountName: {{ include "postgresql.v1.serviceAccountName" . }} - {{- include "postgresql.v1.imagePullSecrets" . | nindent 6 }} - automountServiceAccountToken: {{ .Values.primary.automountServiceAccountToken }} - {{- if .Values.primary.hostAliases }} - hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.primary.hostAliases "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.primary.affinity }} - affinity: {{- include "common.tplvalues.render" (dict "value" .Values.primary.affinity "context" $) | nindent 8 }} - {{- else }} - affinity: - podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAffinityPreset "component" "primary" "customLabels" $podLabels "context" $) | nindent 10 }} - podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAntiAffinityPreset "component" "primary" "customLabels" $podLabels "context" $) | nindent 10 }} - nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.primary.nodeAffinityPreset.type "key" .Values.primary.nodeAffinityPreset.key "values" .Values.primary.nodeAffinityPreset.values) | nindent 10 }} - {{- end }} - {{- if .Values.primary.nodeSelector }} - nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.nodeSelector "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.primary.tolerations }} - tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.tolerations "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.primary.topologySpreadConstraints }} - topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.primary.topologySpreadConstraints "context" .) | nindent 8 }} - {{- end }} - {{- if .Values.primary.priorityClassName }} - priorityClassName: {{ .Values.primary.priorityClassName }} - {{- end }} - {{- if .Values.primary.schedulerName }} - schedulerName: {{ .Values.primary.schedulerName | quote }} - {{- end }} - {{- if .Values.primary.terminationGracePeriodSeconds }} - terminationGracePeriodSeconds: {{ .Values.primary.terminationGracePeriodSeconds }} - {{- end }} - {{- if .Values.primary.podSecurityContext.enabled }} - securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.podSecurityContext "context" $) | nindent 8 }} - {{- end }} - hostNetwork: {{ .Values.primary.hostNetwork }} - hostIPC: {{ .Values.primary.hostIPC }} - {{- if or (and .Values.tls.enabled (not .Values.volumePermissions.enabled)) (and .Values.volumePermissions.enabled (or .Values.primary.persistence.enabled .Values.shmVolume.enabled)) .Values.primary.initContainers }} - initContainers: - {{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }} - - name: copy-certs - image: {{ include "postgresql.v1.volumePermissions.image" . }} - imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} - {{- if .Values.primary.resources }} - resources: {{- toYaml .Values.primary.resources | nindent 12 }} - {{- else if ne .Values.primary.resourcesPreset "none" }} - resources: {{- include "common.resources.preset" (dict "type" .Values.primary.resourcesPreset) | nindent 12 }} - {{- end }} - # We don't require a privileged container in this case - {{- if .Values.primary.containerSecurityContext.enabled }} - securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.containerSecurityContext "context" $) | nindent 12 }} - {{- end }} - command: - - /bin/sh - - -ec - - | - cp /tmp/certs/* /opt/bitnami/postgresql/certs/ - chmod 600 {{ include "postgresql.v1.tlsCertKey" . }} - volumeMounts: - - name: empty-dir - mountPath: /tmp - subPath: tmp-dir - - name: raw-certificates - mountPath: /tmp/certs - - name: postgresql-certificates - mountPath: /opt/bitnami/postgresql/certs - {{- else if and .Values.volumePermissions.enabled (or .Values.primary.persistence.enabled .Values.shmVolume.enabled) }} - - name: init-chmod-data - image: {{ include "postgresql.v1.volumePermissions.image" . }} - imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} - {{- if .Values.volumePermissions.resources }} - resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} - {{- else if ne .Values.volumePermissions.resourcesPreset "none" }} - resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} - {{- end }} - command: - - /bin/sh - - -ec - - | - {{- if .Values.primary.persistence.enabled }} - {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} - chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.primary.persistence.mountPath }} - {{- else }} - chown {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} {{ .Values.primary.persistence.mountPath }} - {{- end }} - mkdir -p {{ .Values.primary.persistence.mountPath }}/data {{- if (include "postgresql.v1.mountConfigurationCM" .) }} {{ .Values.primary.persistence.mountPath }}/conf {{- end }} - chmod 700 {{ .Values.primary.persistence.mountPath }}/data {{- if (include "postgresql.v1.mountConfigurationCM" .) }} {{ .Values.primary.persistence.mountPath }}/conf {{- end }} - find {{ .Values.primary.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.v1.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \ - {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} - xargs -r chown -R `id -u`:`id -G | cut -d " " -f2` - {{- else }} - xargs -r chown -R {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} - {{- end }} - {{- end }} - {{- if .Values.shmVolume.enabled }} - chmod -R 777 /dev/shm - {{- end }} - {{- if .Values.tls.enabled }} - cp /tmp/certs/* /opt/bitnami/postgresql/certs/ - {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} - chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/ - {{- else }} - chown -R {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} /opt/bitnami/postgresql/certs/ - {{- end }} - chmod 600 {{ include "postgresql.v1.tlsCertKey" . }} - {{- end }} - {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} - securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }} - {{- else }} - securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} - {{- end }} - volumeMounts: - - name: empty-dir - mountPath: /tmp - subPath: tmp-dir - - name: {{ .Values.primary.persistence.volumeName }} - mountPath: {{ .Values.primary.persistence.mountPath }} - {{- if .Values.primary.persistence.subPath }} - subPath: {{ .Values.primary.persistence.subPath }} - {{- end }} - {{- if .Values.shmVolume.enabled }} - - name: dshm - mountPath: /dev/shm - {{- end }} - {{- if .Values.tls.enabled }} - - name: raw-certificates - mountPath: /tmp/certs - - name: postgresql-certificates - mountPath: /opt/bitnami/postgresql/certs - {{- end }} - {{- end }} - {{- if .Values.primary.initContainers }} - {{- include "common.tplvalues.render" ( dict "value" .Values.primary.initContainers "context" $ ) | nindent 8 }} - {{- end }} - {{- end }} - containers: - - name: postgresql - image: {{ include "postgresql.v1.image" . }} - imagePullPolicy: {{ .Values.image.pullPolicy | quote }} - {{- if .Values.primary.containerSecurityContext.enabled }} - securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.containerSecurityContext "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} - {{- else if .Values.primary.command }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.primary.command "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} - {{- else if .Values.primary.args }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.primary.args "context" $) | nindent 12 }} - {{- end }} - env: - - name: BITNAMI_DEBUG - value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} - - name: POSTGRESQL_PORT_NUMBER - value: {{ .Values.containerPorts.postgresql | quote }} - - name: POSTGRESQL_VOLUME_DIR - value: {{ .Values.primary.persistence.mountPath | quote }} - {{- if .Values.primary.persistence.mountPath }} - - name: PGDATA - value: {{ .Values.postgresqlDataDir | quote }} - {{- end }} - # Authentication - {{- if or (eq $customUser "postgres") (empty $customUser) }} - {{- if .Values.auth.enablePostgresUser }} - {{- if .Values.auth.usePasswordFiles }} - - name: POSTGRES_PASSWORD_FILE - value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }} - {{- else }} - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "postgresql.v1.secretName" . }} - key: {{ include "postgresql.v1.adminPasswordKey" . }} - {{- end }} - {{- else }} - - name: ALLOW_EMPTY_PASSWORD - value: "true" - {{- end }} - {{- else }} - - name: POSTGRES_USER - value: {{ $customUser | quote }} - {{- if .Values.auth.usePasswordFiles }} - - name: POSTGRES_PASSWORD_FILE - value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.userPasswordKey" .) }} - {{- else }} - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "postgresql.v1.secretName" . }} - key: {{ include "postgresql.v1.userPasswordKey" . }} - {{- end }} - {{- if .Values.auth.enablePostgresUser }} - {{- if .Values.auth.usePasswordFiles }} - - name: POSTGRES_POSTGRES_PASSWORD_FILE - value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }} - {{- else }} - - name: POSTGRES_POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "postgresql.v1.secretName" . }} - key: {{ include "postgresql.v1.adminPasswordKey" . }} - {{- end }} - {{- end }} - {{- end }} - {{- if (include "postgresql.v1.database" .) }} - - name: POSTGRES_DATABASE - value: {{ (include "postgresql.v1.database" .) | quote }} - {{- end }} - {{- if or (eq .Values.architecture "replication") .Values.primary.standby.enabled }} - # Replication - - name: POSTGRES_REPLICATION_MODE - value: {{ ternary "slave" "master" .Values.primary.standby.enabled | quote }} - - name: POSTGRES_REPLICATION_USER - value: {{ .Values.auth.replicationUsername | quote }} - {{- if .Values.auth.usePasswordFiles }} - - name: POSTGRES_REPLICATION_PASSWORD_FILE - value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.replicationPasswordKey" .) }} - {{- else }} - - name: POSTGRES_REPLICATION_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "postgresql.v1.secretName" . }} - key: {{ include "postgresql.v1.replicationPasswordKey" . }} - {{- end }} - {{- if ne .Values.replication.synchronousCommit "off" }} - - name: POSTGRES_SYNCHRONOUS_COMMIT_MODE - value: {{ .Values.replication.synchronousCommit | quote }} - - name: POSTGRES_NUM_SYNCHRONOUS_REPLICAS - value: {{ .Values.replication.numSynchronousReplicas | quote }} - {{- end }} - - name: POSTGRES_CLUSTER_APP_NAME - value: {{ .Values.replication.applicationName }} - {{- end }} - {{- if .Values.primary.initdb.args }} - # Initdb - - name: POSTGRES_INITDB_ARGS - value: {{ .Values.primary.initdb.args | quote }} - {{- end }} - {{- if .Values.primary.initdb.postgresqlWalDir }} - - name: POSTGRES_INITDB_WALDIR - value: {{ .Values.primary.initdb.postgresqlWalDir | quote }} - {{- end }} - {{- if .Values.primary.initdb.user }} - - name: POSTGRES_INITSCRIPTS_USERNAME - value: {{ .Values.primary.initdb.user }} - {{- end }} - {{- if .Values.primary.initdb.password }} - - name: POSTGRES_INITSCRIPTS_PASSWORD - value: {{ .Values.primary.initdb.password | quote }} - {{- end }} - {{- if .Values.primary.standby.enabled }} - # Standby - - name: POSTGRES_MASTER_HOST - value: {{ .Values.primary.standby.primaryHost }} - - name: POSTGRES_MASTER_PORT_NUMBER - value: {{ .Values.primary.standby.primaryPort | quote }} - {{- end }} - # LDAP - - name: POSTGRESQL_ENABLE_LDAP - value: {{ ternary "yes" "no" .Values.ldap.enabled | quote }} - {{- if .Values.ldap.enabled }} - {{- if or .Values.ldap.url .Values.ldap.uri }} - - name: POSTGRESQL_LDAP_URL - value: {{ coalesce .Values.ldap.url .Values.ldap.uri }} - {{- else }} - - name: POSTGRESQL_LDAP_SERVER - value: {{ .Values.ldap.server }} - - name: POSTGRESQL_LDAP_PORT - value: {{ .Values.ldap.port | quote }} - - name: POSTGRESQL_LDAP_SCHEME - value: {{ .Values.ldap.scheme }} - {{- if (include "postgresql.v1.ldap.tls.enabled" .) }} - - name: POSTGRESQL_LDAP_TLS - value: "1" - {{- end }} - - name: POSTGRESQL_LDAP_PREFIX - value: {{ .Values.ldap.prefix | quote }} - - name: POSTGRESQL_LDAP_SUFFIX - value: {{ .Values.ldap.suffix | quote }} - - name: POSTGRESQL_LDAP_BASE_DN - value: {{ coalesce .Values.ldap.baseDN .Values.ldap.basedn }} - - name: POSTGRESQL_LDAP_BIND_DN - value: {{ coalesce .Values.ldap.bindDN .Values.ldap.binddn}} - {{- if or (not (empty .Values.ldap.bind_password)) (not (empty .Values.ldap.bindpw)) }} - - name: POSTGRESQL_LDAP_BIND_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "postgresql.v1.secretName" . }} - key: ldap-password - {{- end }} - - name: POSTGRESQL_LDAP_SEARCH_ATTR - value: {{ coalesce .Values.ldap.search_attr .Values.ldap.searchAttribute }} - - name: POSTGRESQL_LDAP_SEARCH_FILTER - value: {{ coalesce .Values.ldap.search_filter .Values.ldap.searchFilter }} - {{- end }} - {{- end }} - # TLS - - name: POSTGRESQL_ENABLE_TLS - value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} - {{- if .Values.tls.enabled }} - - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS - value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }} - - name: POSTGRESQL_TLS_CERT_FILE - value: {{ include "postgresql.v1.tlsCert" . }} - - name: POSTGRESQL_TLS_KEY_FILE - value: {{ include "postgresql.v1.tlsCertKey" . }} - {{- if .Values.tls.certCAFilename }} - - name: POSTGRESQL_TLS_CA_FILE - value: {{ include "postgresql.v1.tlsCACert" . }} - {{- end }} - {{- if .Values.tls.crlFilename }} - - name: POSTGRESQL_TLS_CRL_FILE - value: {{ include "postgresql.v1.tlsCRL" . }} - {{- end }} - {{- end }} - # Audit - - name: POSTGRESQL_LOG_HOSTNAME - value: {{ .Values.audit.logHostname | quote }} - - name: POSTGRESQL_LOG_CONNECTIONS - value: {{ .Values.audit.logConnections | quote }} - - name: POSTGRESQL_LOG_DISCONNECTIONS - value: {{ .Values.audit.logDisconnections | quote }} - {{- if .Values.audit.logLinePrefix }} - - name: POSTGRESQL_LOG_LINE_PREFIX - value: {{ .Values.audit.logLinePrefix | quote }} - {{- end }} - {{- if .Values.audit.logTimezone }} - - name: POSTGRESQL_LOG_TIMEZONE - value: {{ .Values.audit.logTimezone | quote }} - {{- end }} - {{- if .Values.audit.pgAuditLog }} - - name: POSTGRESQL_PGAUDIT_LOG - value: {{ .Values.audit.pgAuditLog | quote }} - {{- end }} - - name: POSTGRESQL_PGAUDIT_LOG_CATALOG - value: {{ .Values.audit.pgAuditLogCatalog | quote }} - # Others - - name: POSTGRESQL_CLIENT_MIN_MESSAGES - value: {{ .Values.audit.clientMinMessages | quote }} - - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES - value: {{ .Values.postgresqlSharedPreloadLibraries | quote }} - {{- if .Values.primary.extraEnvVars }} - {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraEnvVars "context" $) | nindent 12 }} - {{- end }} - {{- if or .Values.primary.extraEnvVarsCM .Values.primary.extraEnvVarsSecret }} - envFrom: - {{- if .Values.primary.extraEnvVarsCM }} - - configMapRef: - name: {{ .Values.primary.extraEnvVarsCM }} - {{- end }} - {{- if .Values.primary.extraEnvVarsSecret }} - - secretRef: - name: {{ .Values.primary.extraEnvVarsSecret }} - {{- end }} - {{- end }} - ports: - - name: tcp-postgresql - containerPort: {{ .Values.containerPorts.postgresql }} - {{- if not .Values.diagnosticMode.enabled }} - {{- if .Values.primary.customStartupProbe }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customStartupProbe "context" $) | nindent 12 }} - {{- else if .Values.primary.startupProbe.enabled }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.startupProbe "enabled") "context" $) | nindent 12 }} - exec: - command: - - /bin/sh - - -c - {{- if (include "postgresql.v1.database" .) }} - - exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} - {{- else }} - - exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} - {{- end }} - {{- end }} - {{- if .Values.primary.customLivenessProbe }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customLivenessProbe "context" $) | nindent 12 }} - {{- else if .Values.primary.livenessProbe.enabled }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.livenessProbe "enabled") "context" $) | nindent 12 }} - exec: - command: - - /bin/sh - - -c - {{- if (include "postgresql.v1.database" .) }} - - exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} - {{- else }} - - exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} - {{- end }} - {{- end }} - {{- if .Values.primary.customReadinessProbe }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customReadinessProbe "context" $) | nindent 12 }} - {{- else if .Values.primary.readinessProbe.enabled }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.readinessProbe "enabled") "context" $) | nindent 12 }} - exec: - command: - - /bin/sh - - -c - - -e - {{- include "postgresql.v1.readinessProbeCommand" . | nindent 16 }} - {{- end }} - {{- end }} - {{- if .Values.primary.resources }} - resources: {{- toYaml .Values.primary.resources | nindent 12 }} - {{- else if ne .Values.primary.resourcesPreset "none" }} - resources: {{- include "common.resources.preset" (dict "type" .Values.primary.resourcesPreset) | nindent 12 }} - {{- end }} - {{- if .Values.primary.lifecycleHooks }} - lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.primary.lifecycleHooks "context" $) | nindent 12 }} - {{- end }} - volumeMounts: - - name: empty-dir - mountPath: /tmp - subPath: tmp-dir - - name: empty-dir - mountPath: /opt/bitnami/postgresql/conf - subPath: app-conf-dir - - name: empty-dir - mountPath: /opt/bitnami/postgresql/tmp - subPath: app-tmp-dir - {{- if or .Values.primary.preInitDb.scriptsConfigMap .Values.primary.preInitDb.scripts }} - - name: custom-preinit-scripts - mountPath: /docker-entrypoint-preinitdb.d/ - {{- end }} - {{- if .Values.primary.preInitDb.scriptsSecret }} - - name: custom-preinit-scripts-secret - mountPath: /docker-entrypoint-preinitdb.d/secret - {{- end }} - {{- if or .Values.primary.initdb.scriptsConfigMap .Values.primary.initdb.scripts }} - - name: custom-init-scripts - mountPath: /docker-entrypoint-initdb.d/ - {{- end }} - {{- if .Values.primary.initdb.scriptsSecret }} - - name: custom-init-scripts-secret - mountPath: /docker-entrypoint-initdb.d/secret - {{- end }} - {{- if or .Values.primary.extendedConfiguration .Values.primary.existingExtendedConfigmap }} - - name: postgresql-extended-config - mountPath: {{ .Values.primary.persistence.mountPath }}/conf/conf.d/ - {{- end }} - {{- if and .Values.auth.usePasswordFiles (or .Values.auth.enablePostgresUser $customUser) }} - - name: postgresql-password - mountPath: /opt/bitnami/postgresql/secrets/ - {{- end }} - {{- if .Values.tls.enabled }} - - name: postgresql-certificates - mountPath: /opt/bitnami/postgresql/certs - readOnly: true - {{- end }} - {{- if .Values.shmVolume.enabled }} - - name: dshm - mountPath: /dev/shm - {{- end }} - - name: {{ .Values.primary.persistence.volumeName }} - mountPath: {{ .Values.primary.persistence.mountPath }} - {{- if .Values.primary.persistence.subPath }} - subPath: {{ .Values.primary.persistence.subPath }} - {{- end }} - {{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }} - - name: postgresql-config - mountPath: {{ .Values.primary.persistence.mountPath }}/conf - {{- end }} - {{- if .Values.primary.extraVolumeMounts }} - {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraVolumeMounts "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.metrics.enabled }} - - name: metrics - image: {{ include "postgresql.v1.metrics.image" . }} - imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} - {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} - {{- else if or .Values.metrics.customMetrics .Values.metrics.collectors }} - args: - {{- if .Values.metrics.customMetrics }} - - --extend.query-path - - /conf/custom-metrics.yaml - {{- end }} - {{- range $name, $enabled := .Values.metrics.collectors }} - - --{{ if not $enabled }}no-{{ end }}collector.{{ $name }} - {{- end }} - {{- end }} - env: - - name: DATA_SOURCE_URI - value: {{ printf "127.0.0.1:%d/postgres?sslmode=disable" (int (include "postgresql.v1.service.port" .)) }} - {{- if .Values.auth.usePasswordFiles }} - - name: DATA_SOURCE_PASS_FILE - value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include (ternary "postgresql.v1.adminPasswordKey" "postgresql.v1.userPasswordKey" (empty $customUser)) .) }} - {{- else }} - - name: DATA_SOURCE_PASS - valueFrom: - secretKeyRef: - name: {{ include "postgresql.v1.secretName" . }} - key: {{ include (ternary "postgresql.v1.adminPasswordKey" "postgresql.v1.userPasswordKey" (empty $customUser)) . }} - {{- end }} - - name: DATA_SOURCE_USER - value: {{ default "postgres" $customUser | quote }} - {{- if .Values.metrics.extraEnvVars }} - {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }} - {{- end }} - ports: - - name: http-metrics - containerPort: {{ .Values.metrics.containerPorts.metrics }} - {{- if not .Values.diagnosticMode.enabled }} - {{- if .Values.metrics.customStartupProbe }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} - {{- else if .Values.metrics.startupProbe.enabled }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }} - tcpSocket: - port: http-metrics - {{- end }} - {{- if .Values.metrics.customLivenessProbe }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }} - {{- else if .Values.metrics.livenessProbe.enabled }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }} - httpGet: - path: / - port: http-metrics - {{- end }} - {{- if .Values.metrics.customReadinessProbe }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }} - {{- else if .Values.metrics.readinessProbe.enabled }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }} - httpGet: - path: / - port: http-metrics - {{- end }} - {{- end }} - volumeMounts: - - name: empty-dir - mountPath: /tmp - subPath: tmp-dir - {{- if and .Values.auth.usePasswordFiles (or .Values.auth.enablePostgresUser $customUser) }} - - name: postgresql-password - mountPath: /opt/bitnami/postgresql/secrets/ - {{- end }} - {{- if .Values.metrics.customMetrics }} - - name: custom-metrics - mountPath: /conf - readOnly: true - {{- end }} - {{- if .Values.metrics.resources }} - resources: {{- toYaml .Values.metrics.resources | nindent 12 }} - {{- else if ne .Values.metrics.resourcesPreset "none" }} - resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} - {{- end }} - {{- end }} - {{- if .Values.primary.sidecars }} - {{- include "common.tplvalues.render" ( dict "value" .Values.primary.sidecars "context" $ ) | nindent 8 }} - {{- end }} - volumes: - - name: empty-dir - emptyDir: {} - {{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }} - - name: postgresql-config - configMap: - name: {{ include "postgresql.v1.primary.configmapName" . }} - {{- end }} - {{- if or .Values.primary.extendedConfiguration .Values.primary.existingExtendedConfigmap }} - - name: postgresql-extended-config - configMap: - name: {{ include "postgresql.v1.primary.extendedConfigmapName" . }} - {{- end }} - {{- if and .Values.auth.usePasswordFiles (or .Values.auth.enablePostgresUser $customUser) }} - - name: postgresql-password - secret: - secretName: {{ include "postgresql.v1.secretName" . }} - {{- end }} - {{- if or .Values.primary.preInitDb.scriptsConfigMap .Values.primary.preInitDb.scripts }} - - name: custom-preinit-scripts - configMap: - name: {{ include "postgresql.v1.preInitDb.scriptsCM" . }} - {{- end }} - {{- if .Values.primary.preInitDb.scriptsSecret }} - - name: custom-preinit-scripts-secret - secret: - secretName: {{ tpl .Values.primary.preInitDb.scriptsSecret $ }} - {{- end }} - {{- if or .Values.primary.initdb.scriptsConfigMap .Values.primary.initdb.scripts }} - - name: custom-init-scripts - configMap: - name: {{ include "postgresql.v1.initdb.scriptsCM" . }} - {{- end }} - {{- if .Values.primary.initdb.scriptsSecret }} - - name: custom-init-scripts-secret - secret: - secretName: {{ tpl .Values.primary.initdb.scriptsSecret $ }} - {{- end }} - {{- if .Values.tls.enabled }} - - name: raw-certificates - secret: - secretName: {{ include "postgresql.v1.tlsSecretName" . }} - - name: postgresql-certificates - emptyDir: {} - {{- end }} - {{- if .Values.primary.extraVolumes }} - {{- include "common.tplvalues.render" ( dict "value" .Values.primary.extraVolumes "context" $ ) | nindent 8 }} - {{- end }} - {{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} - - name: custom-metrics - configMap: - name: {{ printf "%s-metrics" (include "postgresql.v1.primary.fullname" .) }} - {{- end }} - {{- if .Values.shmVolume.enabled }} - - name: dshm - emptyDir: - medium: Memory - {{- if .Values.shmVolume.sizeLimit }} - sizeLimit: {{ .Values.shmVolume.sizeLimit }} - {{- end }} - {{- end }} - {{- if and .Values.primary.persistence.enabled .Values.primary.persistence.existingClaim }} - - name: {{ .Values.primary.persistence.volumeName }} - persistentVolumeClaim: - claimName: {{ tpl .Values.primary.persistence.existingClaim $ }} - {{- else if not .Values.primary.persistence.enabled }} - - name: {{ .Values.primary.persistence.volumeName }} - emptyDir: {} - {{- else }} - {{- if .Values.primary.persistentVolumeClaimRetentionPolicy.enabled }} - persistentVolumeClaimRetentionPolicy: - whenDeleted: {{ .Values.primary.persistentVolumeClaimRetentionPolicy.whenDeleted }} - whenScaled: {{ .Values.primary.persistentVolumeClaimRetentionPolicy.whenScaled }} - {{- end }} - volumeClaimTemplates: - - apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - name: {{ .Values.primary.persistence.volumeName }} - {{- if .Values.primary.persistence.annotations }} - annotations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.annotations "context" $) | nindent 10 }} - {{- end }} - {{- if .Values.primary.persistence.labels }} - labels: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.labels "context" $) | nindent 10 }} - {{- end }} - spec: - accessModes: - {{- range .Values.primary.persistence.accessModes }} - - {{ . | quote }} - {{- end }} - {{- if .Values.primary.persistence.dataSource }} - dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.dataSource "context" $) | nindent 10 }} - {{- end }} - resources: - requests: - storage: {{ .Values.primary.persistence.size | quote }} - {{- if .Values.primary.persistence.selector }} - selector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.selector "context" $) | nindent 10 }} - {{- end }} - {{- include "common.storage.class" (dict "persistence" .Values.primary.persistence "global" .Values.global) | nindent 8 }} - {{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/primary/svc-headless.yaml b/charts/gitea-bitnami/charts/postgresql/templates/primary/svc-headless.yaml deleted file mode 100644 index 180cfcb..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/primary/svc-headless.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "postgresql.v1.primary.svc.headless" . }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: primary - annotations: - {{- if or .Values.primary.service.headless.annotations .Values.commonAnnotations }} - {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.service.headless.annotations .Values.commonAnnotations ) "context" . ) }} - {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} - {{- end }} -spec: - type: ClusterIP - clusterIP: None - # We want all pods in the StatefulSet to have their addresses published for - # the sake of the other Postgresql pods even before they're ready, since they - # have to be able to talk to each other in order to become ready. - publishNotReadyAddresses: true - ports: - - name: tcp-postgresql - port: {{ template "postgresql.v1.service.port" . }} - targetPort: tcp-postgresql - {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }} - selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: primary diff --git a/charts/gitea-bitnami/charts/postgresql/templates/primary/svc.yaml b/charts/gitea-bitnami/charts/postgresql/templates/primary/svc.yaml deleted file mode 100644 index 2eeaea1..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/primary/svc.yaml +++ /dev/null @@ -1,58 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "postgresql.v1.primary.fullname" . }} - namespace: {{ include "common.names.namespace" . | quote }} - {{- $labels := .Values.commonLabels }} - {{- if .Values.primary.service.labels }} - {{- $labels = include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.service.labels $labels ) "context" . ) }} - {{- end }} - labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: primary - {{- if or .Values.commonAnnotations .Values.primary.service.annotations }} - {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.service.annotations .Values.commonAnnotations ) "context" . ) }} - annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} - {{- end }} -spec: - type: {{ .Values.primary.service.type }} - {{- if or (eq .Values.primary.service.type "LoadBalancer") (eq .Values.primary.service.type "NodePort") }} - externalTrafficPolicy: {{ .Values.primary.service.externalTrafficPolicy | quote }} - {{- end }} - {{- if and (eq .Values.primary.service.type "LoadBalancer") (not (empty .Values.primary.service.loadBalancerSourceRanges)) }} - loadBalancerSourceRanges: {{ .Values.primary.service.loadBalancerSourceRanges | toJson}} - {{- end }} - {{- if and (eq .Values.primary.service.type "LoadBalancer") (not (empty .Values.primary.service.loadBalancerClass)) }} - loadBalancerClass: {{ .Values.primary.service.loadBalancerClass }} - {{- end }} - {{- if and (eq .Values.primary.service.type "LoadBalancer") (not (empty .Values.primary.service.loadBalancerIP)) }} - loadBalancerIP: {{ .Values.primary.service.loadBalancerIP }} - {{- end }} - {{- if and .Values.primary.service.clusterIP (eq .Values.primary.service.type "ClusterIP") }} - clusterIP: {{ .Values.primary.service.clusterIP }} - {{- end }} - {{- if .Values.primary.service.sessionAffinity }} - sessionAffinity: {{ .Values.primary.service.sessionAffinity }} - {{- end }} - {{- if .Values.primary.service.sessionAffinityConfig }} - sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.sessionAffinityConfig "context" $) | nindent 4 }} - {{- end }} - ports: - - name: tcp-postgresql - port: {{ template "postgresql.v1.service.port" . }} - targetPort: tcp-postgresql - {{- if and (or (eq .Values.primary.service.type "NodePort") (eq .Values.primary.service.type "LoadBalancer")) (not (empty .Values.primary.service.nodePorts.postgresql)) }} - nodePort: {{ .Values.primary.service.nodePorts.postgresql }} - {{- else if eq .Values.primary.service.type "ClusterIP" }} - nodePort: null - {{- end }} - {{- if .Values.primary.service.extraPorts }} - {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.extraPorts "context" $) | nindent 4 }} - {{- end }} - {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }} - selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: primary diff --git a/charts/gitea-bitnami/charts/postgresql/templates/prometheusrule.yaml b/charts/gitea-bitnami/charts/postgresql/templates/prometheusrule.yaml deleted file mode 100644 index 0ec8e6a..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/prometheusrule.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ coalesce .Values.metrics.prometheusRule.namespace (include "common.names.namespace" .) | quote }} - {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.prometheusRule.labels .Values.commonLabels ) "context" . ) }} - labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: metrics - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - groups: - - name: {{ include "common.names.fullname" . }} - rules: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.rules "context" $ ) | nindent 8 }} -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/psp.yaml b/charts/gitea-bitnami/charts/postgresql/templates/psp.yaml deleted file mode 100644 index 41267ec..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/psp.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and (include "common.capabilities.psp.supported" .) .Values.psp.create }} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - privileged: false - volumes: - - 'configMap' - - 'secret' - - 'persistentVolumeClaim' - - 'emptyDir' - - 'projected' - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - readOnlyRootFilesystem: false -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/read/extended-configmap.yaml b/charts/gitea-bitnami/charts/postgresql/templates/read/extended-configmap.yaml deleted file mode 100644 index 6ffc93c..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/read/extended-configmap.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if (include "postgresql.v1.readReplicas.createExtendedConfigmap" .) }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ printf "%s-extended-configuration" (include "postgresql.v1.readReplica.fullname" .) }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: read - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -data: - override.conf: |- - {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extendedConfiguration "context" $ ) | nindent 4 }} -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/read/metrics-configmap.yaml b/charts/gitea-bitnami/charts/postgresql/templates/read/metrics-configmap.yaml deleted file mode 100644 index a4ed6b7..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/read/metrics-configmap.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.metrics.enabled .Values.metrics.customMetrics (eq .Values.architecture "replication") }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ printf "%s-metrics" (include "postgresql.v1.readReplica.fullname" .) }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -data: - custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }} -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/read/metrics-svc.yaml b/charts/gitea-bitnami/charts/postgresql/templates/read/metrics-svc.yaml deleted file mode 100644 index fccd1b9..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/read/metrics-svc.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.metrics.enabled (eq .Values.architecture "replication") }} -apiVersion: v1 -kind: Service -metadata: - name: {{ printf "%s-metrics" (include "postgresql.v1.readReplica.fullname" .) }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: metrics-read - {{- if or .Values.commonAnnotations .Values.metrics.service.annotations }} - {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.service.annotations .Values.commonAnnotations ) "context" . ) }} - annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} - {{- end }} -spec: - type: ClusterIP - sessionAffinity: {{ .Values.metrics.service.sessionAffinity }} - {{- if .Values.metrics.service.clusterIP }} - clusterIP: {{ .Values.metrics.service.clusterIP }} - {{- end }} - ports: - - name: http-metrics - port: {{ .Values.metrics.service.ports.metrics }} - targetPort: http-metrics - {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }} - selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: read -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/read/networkpolicy.yaml b/charts/gitea-bitnami/charts/postgresql/templates/read/networkpolicy.yaml deleted file mode 100644 index 9c730d8..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/read/networkpolicy.yaml +++ /dev/null @@ -1,80 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if eq .Values.architecture "replication" }} -{{- if .Values.readReplicas.networkPolicy.enabled }} -kind: NetworkPolicy -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -metadata: - name: {{ include "postgresql.v1.readReplica.fullname" . }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: read - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }} - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} - app.kubernetes.io/component: read - policyTypes: - - Ingress - - Egress - {{- if .Values.readReplicas.networkPolicy.allowExternalEgress }} - egress: - - {} - {{- else }} - egress: - # Allow dns resolution - - ports: - - port: 53 - protocol: UDP - - port: 53 - protocol: TCP - # Allow outbound connections to primary - - ports: - - port: {{ .Values.containerPorts.postgresql }} - to: - - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} - app.kubernetes.io/component: primary - {{- if .Values.readReplicas.networkPolicy.extraEgress }} - {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.networkPolicy.extraEgress "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} - ingress: - - ports: - - port: {{ .Values.containerPorts.postgresql }} - {{- if .Values.metrics.enabled }} - - port: {{ .Values.metrics.containerPorts.metrics }} - {{- end }} - {{- if not .Values.readReplicas.networkPolicy.allowExternal }} - from: - - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} - - podSelector: - matchLabels: - {{ template "postgresql.v1.readReplica.fullname" . }}-client: "true" - {{- if .Values.readReplicas.networkPolicy.ingressNSMatchLabels }} - - namespaceSelector: - matchLabels: - {{- range $key, $value := .Values.readReplicas.networkPolicy.ingressNSMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} - {{- if .Values.readReplicas.networkPolicy.ingressNSPodMatchLabels }} - podSelector: - matchLabels: - {{- range $key, $value := .Values.readReplicas.networkPolicy.ingressNSPodMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.readReplicas.networkPolicy.extraIngress }} - {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.networkPolicy.extraIngress "context" $ ) | nindent 4 }} - {{- end }} -{{- end }} -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/read/pdb.yaml b/charts/gitea-bitnami/charts/postgresql/templates/read/pdb.yaml deleted file mode 100644 index bd2eaad..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/read/pdb.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and ( eq .Values.architecture "replication" ) .Values.readReplicas.pdb.create }} -apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} -kind: PodDisruptionBudget -metadata: - name: {{ include "postgresql.v1.readReplica.fullname" . }} - namespace: {{ include "common.names.namespace" . | quote }} - {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.labels .Values.commonLabels ) "context" . ) }} - labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: read - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- if .Values.readReplicas.pdb.minAvailable }} - minAvailable: {{ .Values.readReplicas.pdb.minAvailable }} - {{- end }} - {{- if or .Values.readReplicas.pdb.maxUnavailable ( not .Values.readReplicas.pdb.minAvailable ) }} - maxUnavailable: {{ .Values.readReplicas.pdb.maxUnavailable | default 1 }} - {{- end }} - {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }} - selector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} - app.kubernetes.io/component: read -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/read/servicemonitor.yaml b/charts/gitea-bitnami/charts/postgresql/templates/read/servicemonitor.yaml deleted file mode 100644 index b1536a6..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/read/servicemonitor.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled (eq .Values.architecture "replication") }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "postgresql.v1.readReplica.fullname" . }} - namespace: {{ coalesce .Values.metrics.serviceMonitor.namespace (include "common.names.namespace" .) | quote }} - {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }} - labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: metrics-read - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- if .Values.metrics.serviceMonitor.jobLabel }} - jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }} - {{- end }} - selector: - {{- $svcLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.selector .Values.commonLabels ) "context" . ) }} - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $svcLabels "context" $ ) | nindent 6 }} - app.kubernetes.io/component: metrics-read - endpoints: - - port: http-metrics - {{- if .Values.metrics.serviceMonitor.interval }} - interval: {{ .Values.metrics.serviceMonitor.interval }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} - scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.relabelings }} - relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 6 }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.metricRelabelings }} - metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 6 }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.honorLabels }} - honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} - {{- end }} - namespaceSelector: - matchNames: - - {{ include "common.names.namespace" . | quote }} -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/read/statefulset.yaml b/charts/gitea-bitnami/charts/postgresql/templates/read/statefulset.yaml deleted file mode 100644 index f7376b5..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/read/statefulset.yaml +++ /dev/null @@ -1,588 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if eq .Values.architecture "replication" }} -{{- $customUser := include "postgresql.v1.username" . }} -apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} -kind: StatefulSet -metadata: - name: {{ include "postgresql.v1.readReplica.fullname" . }} - namespace: {{ include "common.names.namespace" . | quote }} - {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.labels .Values.commonLabels ) "context" . ) }} - labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: read - {{- if or .Values.commonAnnotations .Values.readReplicas.annotations }} - {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.annotations .Values.commonAnnotations ) "context" . ) }} - annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} - {{- end }} -spec: - replicas: {{ .Values.readReplicas.replicaCount }} - serviceName: {{ include "postgresql.v1.readReplica.svc.headless" . }} - {{- if .Values.readReplicas.updateStrategy }} - updateStrategy: {{- toYaml .Values.readReplicas.updateStrategy | nindent 4 }} - {{- end }} - {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }} - selector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} - app.kubernetes.io/component: read - template: - metadata: - name: {{ include "postgresql.v1.readReplica.fullname" . }} - labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} - app.kubernetes.io/component: read - {{- if or .Values.passwordUpdateJob.enabled (include "postgresql.v1.readReplicas.createExtendedConfigmap" .) .Values.readReplicas.podAnnotations }} - annotations: - {{- if (include "postgresql.v1.readReplicas.createExtendedConfigmap" .) }} - checksum/extended-configuration: {{ pick (include (print $.Template.BasePath "/primary/extended-configmap.yaml") . | fromYaml) "data" | toYaml | sha256sum }} - {{- end }} - {{- if .Values.passwordUpdateJob.enabled }} - charts.bitnami.com/password-last-update: {{ now | date "20060102150405" | quote }} - {{- end }} - {{- if .Values.readReplicas.podAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.podAnnotations "context" $ ) | nindent 8 }} - {{- end }} - {{- end }} - spec: - {{- if .Values.readReplicas.extraPodSpec }} - {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraPodSpec "context" $) | nindent 6 }} - {{- end }} - serviceAccountName: {{ include "postgresql.v1.serviceAccountName" . }} - {{- include "postgresql.v1.imagePullSecrets" . | nindent 6 }} - automountServiceAccountToken: {{ .Values.readReplicas.automountServiceAccountToken }} - {{- if .Values.readReplicas.hostAliases }} - hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.hostAliases "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.readReplicas.affinity }} - affinity: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.affinity "context" $) | nindent 8 }} - {{- else }} - affinity: - podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAffinityPreset "component" "read" "customLabels" $podLabels "context" $) | nindent 10 }} - podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAntiAffinityPreset "component" "read" "customLabels" $podLabels "context" $) | nindent 10 }} - nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.readReplicas.nodeAffinityPreset.type "key" .Values.readReplicas.nodeAffinityPreset.key "values" .Values.readReplicas.nodeAffinityPreset.values) | nindent 10 }} - {{- end }} - {{- if .Values.readReplicas.nodeSelector }} - nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.nodeSelector "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.readReplicas.tolerations }} - tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.tolerations "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.readReplicas.topologySpreadConstraints }} - topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.topologySpreadConstraints "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.readReplicas.priorityClassName }} - priorityClassName: {{ .Values.readReplicas.priorityClassName }} - {{- end }} - {{- if .Values.readReplicas.schedulerName }} - schedulerName: {{ .Values.readReplicas.schedulerName | quote }} - {{- end }} - {{- if .Values.readReplicas.terminationGracePeriodSeconds }} - terminationGracePeriodSeconds: {{ .Values.readReplicas.terminationGracePeriodSeconds }} - {{- end }} - {{- if .Values.readReplicas.podSecurityContext.enabled }} - securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.readReplicas.podSecurityContext "context" $) | nindent 8 }} - {{- end }} - hostNetwork: {{ .Values.readReplicas.hostNetwork }} - hostIPC: {{ .Values.readReplicas.hostIPC }} - {{- if or (and .Values.tls.enabled (not .Values.volumePermissions.enabled)) (and .Values.volumePermissions.enabled (or .Values.readReplicas.persistence.enabled .Values.shmVolume.enabled)) .Values.readReplicas.initContainers }} - initContainers: - {{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }} - - name: copy-certs - image: {{ include "postgresql.v1.volumePermissions.image" . }} - imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} - {{- if .Values.readReplicas.resources }} - resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }} - {{- else if ne .Values.readReplicas.resourcesPreset "none" }} - resources: {{- include "common.resources.preset" (dict "type" .Values.readReplicas.resourcesPreset) | nindent 12 }} - {{- end }} - # We don't require a privileged container in this case - {{- if .Values.readReplicas.containerSecurityContext.enabled }} - securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.readReplicas.containerSecurityContext "context" $) | nindent 12 }} - {{- end }} - command: - - /bin/sh - - -ec - - | - cp /tmp/certs/* /opt/bitnami/postgresql/certs/ - chmod 600 {{ include "postgresql.v1.tlsCertKey" . }} - volumeMounts: - - name: empty-dir - mountPath: /tmp - subPath: tmp-dir - - name: raw-certificates - mountPath: /tmp/certs - - name: postgresql-certificates - mountPath: /opt/bitnami/postgresql/certs - {{- else if and .Values.volumePermissions.enabled (or .Values.readReplicas.persistence.enabled .Values.shmVolume.enabled) }} - - name: init-chmod-data - image: {{ include "postgresql.v1.volumePermissions.image" . }} - imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} - {{- if .Values.readReplicas.resources }} - resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }} - {{- else if ne .Values.readReplicas.resourcesPreset "none" }} - resources: {{- include "common.resources.preset" (dict "type" .Values.readReplicas.resourcesPreset) | nindent 12 }} - {{- end }} - command: - - /bin/sh - - -ec - - | - {{- if .Values.readReplicas.persistence.enabled }} - {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} - chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.readReplicas.persistence.mountPath }} - {{- else }} - chown {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} {{ .Values.readReplicas.persistence.mountPath }} - {{- end }} - mkdir -p {{ .Values.readReplicas.persistence.mountPath }}/data {{- if (include "postgresql.v1.mountConfigurationCM" .) }} {{ .Values.readReplicas.persistence.mountPath }}/conf {{- end }} - chmod 700 {{ .Values.readReplicas.persistence.mountPath }}/data {{- if (include "postgresql.v1.mountConfigurationCM" .) }} {{ .Values.readReplicas.persistence.mountPath }}/conf {{- end }} - find {{ .Values.readReplicas.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.v1.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \ - {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} - xargs -r chown -R `id -u`:`id -G | cut -d " " -f2` - {{- else }} - xargs -r chown -R {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} - {{- end }} - {{- end }} - {{- if .Values.shmVolume.enabled }} - chmod -R 777 /dev/shm - {{- end }} - {{- if .Values.tls.enabled }} - cp /tmp/certs/* /opt/bitnami/postgresql/certs/ - {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} - chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/ - {{- else }} - chown -R {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} /opt/bitnami/postgresql/certs/ - {{- end }} - chmod 600 {{ include "postgresql.v1.tlsCertKey" . }} - {{- end }} - {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} - securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }} - {{- else }} - securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} - {{- end }} - volumeMounts: - - name: empty-dir - mountPath: /tmp - subPath: tmp-dir - - name: data - mountPath: {{ .Values.readReplicas.persistence.mountPath }} - {{- if .Values.readReplicas.persistence.subPath }} - subPath: {{ .Values.readReplicas.persistence.subPath }} - {{- end }} - {{- if .Values.shmVolume.enabled }} - - name: dshm - mountPath: /dev/shm - {{- end }} - {{- if .Values.tls.enabled }} - - name: raw-certificates - mountPath: /tmp/certs - - name: postgresql-certificates - mountPath: /opt/bitnami/postgresql/certs - {{- end }} - {{- end }} - {{- if .Values.readReplicas.initContainers }} - {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.initContainers "context" $ ) | nindent 8 }} - {{- end }} - {{- end }} - containers: - - name: postgresql - image: {{ include "postgresql.v1.image" . }} - imagePullPolicy: {{ .Values.image.pullPolicy | quote }} - {{- if .Values.readReplicas.containerSecurityContext.enabled }} - securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.readReplicas.containerSecurityContext "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} - {{- else if .Values.readReplicas.command }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.command "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} - {{- else if .Values.readReplicas.args }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.args "context" $) | nindent 12 }} - {{- end }} - env: - - name: BITNAMI_DEBUG - value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} - - name: POSTGRESQL_PORT_NUMBER - value: {{ .Values.containerPorts.postgresql | quote }} - - name: POSTGRESQL_VOLUME_DIR - value: {{ .Values.readReplicas.persistence.mountPath | quote }} - {{- if .Values.readReplicas.persistence.mountPath }} - - name: PGDATA - value: {{ .Values.postgresqlDataDir | quote }} - {{- end }} - # Authentication - {{- if or (eq $customUser "postgres") (empty $customUser) }} - {{- if .Values.auth.enablePostgresUser }} - {{- if .Values.auth.usePasswordFiles }} - - name: POSTGRES_PASSWORD_FILE - value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }} - {{- else }} - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "postgresql.v1.secretName" . }} - key: {{ include "postgresql.v1.adminPasswordKey" . }} - {{- end }} - {{- else }} - - name: ALLOW_EMPTY_PASSWORD - value: "true" - {{- end }} - {{- else }} - - name: POSTGRES_USER - value: {{ $customUser | quote }} - {{- if .Values.auth.usePasswordFiles }} - - name: POSTGRES_PASSWORD_FILE - value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.userPasswordKey" .) }} - {{- else }} - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "postgresql.v1.secretName" . }} - key: {{ include "postgresql.v1.userPasswordKey" . }} - {{- end }} - {{- if .Values.auth.enablePostgresUser }} - {{- if .Values.auth.usePasswordFiles }} - - name: POSTGRES_POSTGRES_PASSWORD_FILE - value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }} - {{- else }} - - name: POSTGRES_POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "postgresql.v1.secretName" . }} - key: {{ include "postgresql.v1.adminPasswordKey" . }} - {{- end }} - {{- end }} - {{- end }} - # Replication - - name: POSTGRES_REPLICATION_MODE - value: "slave" - - name: POSTGRES_REPLICATION_USER - value: {{ .Values.auth.replicationUsername | quote }} - {{- if .Values.auth.usePasswordFiles }} - - name: POSTGRES_REPLICATION_PASSWORD_FILE - value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.replicationPasswordKey" .) }} - {{- else }} - - name: POSTGRES_REPLICATION_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "postgresql.v1.secretName" . }} - key: {{ include "postgresql.v1.replicationPasswordKey" . }} - {{- end }} - - name: POSTGRES_CLUSTER_APP_NAME - value: {{ .Values.replication.applicationName }} - - name: POSTGRES_MASTER_HOST - value: {{ include "postgresql.v1.primary.fullname" . }} - - name: POSTGRES_MASTER_PORT_NUMBER - value: {{ include "postgresql.v1.service.port" . | quote }} - # TLS - - name: POSTGRESQL_ENABLE_TLS - value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} - {{- if .Values.tls.enabled }} - - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS - value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }} - - name: POSTGRESQL_TLS_CERT_FILE - value: {{ include "postgresql.v1.tlsCert" . }} - - name: POSTGRESQL_TLS_KEY_FILE - value: {{ include "postgresql.v1.tlsCertKey" . }} - {{- if .Values.tls.certCAFilename }} - - name: POSTGRESQL_TLS_CA_FILE - value: {{ include "postgresql.v1.tlsCACert" . }} - {{- end }} - {{- if .Values.tls.crlFilename }} - - name: POSTGRESQL_TLS_CRL_FILE - value: {{ include "postgresql.v1.tlsCRL" . }} - {{- end }} - {{- end }} - # Audit - - name: POSTGRESQL_LOG_HOSTNAME - value: {{ .Values.audit.logHostname | quote }} - - name: POSTGRESQL_LOG_CONNECTIONS - value: {{ .Values.audit.logConnections | quote }} - - name: POSTGRESQL_LOG_DISCONNECTIONS - value: {{ .Values.audit.logDisconnections | quote }} - {{- if .Values.audit.logLinePrefix }} - - name: POSTGRESQL_LOG_LINE_PREFIX - value: {{ .Values.audit.logLinePrefix | quote }} - {{- end }} - {{- if .Values.audit.logTimezone }} - - name: POSTGRESQL_LOG_TIMEZONE - value: {{ .Values.audit.logTimezone | quote }} - {{- end }} - {{- if .Values.audit.pgAuditLog }} - - name: POSTGRESQL_PGAUDIT_LOG - value: {{ .Values.audit.pgAuditLog | quote }} - {{- end }} - - name: POSTGRESQL_PGAUDIT_LOG_CATALOG - value: {{ .Values.audit.pgAuditLogCatalog | quote }} - # Others - - name: POSTGRESQL_CLIENT_MIN_MESSAGES - value: {{ .Values.audit.clientMinMessages | quote }} - - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES - value: {{ .Values.postgresqlSharedPreloadLibraries | quote }} - {{- if .Values.readReplicas.extraEnvVars }} - {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraEnvVars "context" $) | nindent 12 }} - {{- end }} - {{- if or .Values.readReplicas.extraEnvVarsCM .Values.readReplicas.extraEnvVarsSecret }} - envFrom: - {{- if .Values.readReplicas.extraEnvVarsCM }} - - configMapRef: - name: {{ .Values.readReplicas.extraEnvVarsCM }} - {{- end }} - {{- if .Values.readReplicas.extraEnvVarsSecret }} - - secretRef: - name: {{ .Values.readReplicas.extraEnvVarsSecret }} - {{- end }} - {{- end }} - ports: - - name: tcp-postgresql - containerPort: {{ .Values.containerPorts.postgresql }} - {{- if not .Values.diagnosticMode.enabled }} - {{- if .Values.readReplicas.customStartupProbe }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customStartupProbe "context" $) | nindent 12 }} - {{- else if .Values.readReplicas.startupProbe.enabled }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.startupProbe "enabled") "context" $) | nindent 12 }} - exec: - command: - - /bin/sh - - -c - {{- if (include "postgresql.v1.database" .) }} - - exec pg_isready -U {{ default "postgres" $customUser| quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} - {{- else }} - - exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} - {{- end }} - {{- end }} - {{- if .Values.readReplicas.customLivenessProbe }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customLivenessProbe "context" $) | nindent 12 }} - {{- else if .Values.readReplicas.livenessProbe.enabled }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.livenessProbe "enabled") "context" $) | nindent 12 }} - exec: - command: - - /bin/sh - - -c - {{- if (include "postgresql.v1.database" .) }} - - exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.v1.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} - {{- else }} - - exec pg_isready -U {{default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.v1.tlsCert" . }} sslkey={{ include "postgresql.v1.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} - {{- end }} - {{- end }} - {{- if .Values.readReplicas.customReadinessProbe }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customReadinessProbe "context" $) | nindent 12 }} - {{- else if .Values.readReplicas.readinessProbe.enabled }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.readinessProbe "enabled") "context" $) | nindent 12 }} - exec: - command: - - /bin/sh - - -c - - -e - {{- include "postgresql.v1.readinessProbeCommand" . | nindent 16 }} - {{- end }} - {{- end }} - {{- if .Values.readReplicas.resources }} - resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }} - {{- else if ne .Values.readReplicas.resourcesPreset "none" }} - resources: {{- include "common.resources.preset" (dict "type" .Values.readReplicas.resourcesPreset) | nindent 12 }} - {{- end }} - {{- if .Values.readReplicas.lifecycleHooks }} - lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.lifecycleHooks "context" $) | nindent 12 }} - {{- end }} - volumeMounts: - - name: empty-dir - mountPath: /tmp - subPath: tmp-dir - - name: empty-dir - mountPath: /opt/bitnami/postgresql/conf - subPath: app-conf-dir - - name: empty-dir - mountPath: /opt/bitnami/postgresql/tmp - subPath: app-tmp-dir - {{- if and .Values.auth.usePasswordFiles (or .Values.auth.enablePostgresUser $customUser) }} - - name: postgresql-password - mountPath: /opt/bitnami/postgresql/secrets/ - {{- end }} - {{- if .Values.readReplicas.extendedConfiguration }} - - name: postgresql-extended-config - mountPath: {{ .Values.readReplicas.persistence.mountPath }}/conf/conf.d/ - {{- end }} - {{- if .Values.tls.enabled }} - - name: postgresql-certificates - mountPath: /opt/bitnami/postgresql/certs - readOnly: true - {{- end }} - {{- if .Values.shmVolume.enabled }} - - name: dshm - mountPath: /dev/shm - {{- end }} - - name: data - mountPath: {{ .Values.readReplicas.persistence.mountPath }} - {{- if .Values.readReplicas.persistence.subPath }} - subPath: {{ .Values.readReplicas.persistence.subPath }} - {{- end }} - {{- if .Values.readReplicas.extraVolumeMounts }} - {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraVolumeMounts "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.metrics.enabled }} - - name: metrics - image: {{ include "postgresql.v1.metrics.image" . }} - imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} - {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} - {{- else if or .Values.metrics.customMetrics .Values.metrics.collectors }} - args: - {{- if .Values.metrics.customMetrics }} - - --extend.query-path - - /conf/custom-metrics.yaml - {{- end }} - {{- range $name, $enabled := .Values.metrics.collectors }} - - --{{ if not $enabled }}no-{{ end }}collector.{{ $name }} - {{- end }} - {{- end }} - env: - - name: DATA_SOURCE_URI - value: {{ printf "127.0.0.1:%d/postgres?sslmode=disable" (int (include "postgresql.v1.service.port" .)) }} - {{- if .Values.auth.usePasswordFiles }} - - name: DATA_SOURCE_PASS_FILE - value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include (ternary "postgresql.v1.adminPasswordKey" "postgresql.v1.userPasswordKey" (empty $customUser)) .) }} - {{- else }} - - name: DATA_SOURCE_PASS - valueFrom: - secretKeyRef: - name: {{ include "postgresql.v1.secretName" . }} - key: {{ include (ternary "postgresql.v1.adminPasswordKey" "postgresql.v1.userPasswordKey" (empty $customUser)) . }} - {{- end }} - - name: DATA_SOURCE_USER - value: {{ default "postgres" $customUser | quote }} - {{- if .Values.metrics.extraEnvVars }} - {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }} - {{- end }} - ports: - - name: http-metrics - containerPort: {{ .Values.metrics.containerPorts.metrics }} - {{- if not .Values.diagnosticMode.enabled }} - {{- if .Values.metrics.customStartupProbe }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} - {{- else if .Values.metrics.startupProbe.enabled }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }} - tcpSocket: - port: http-metrics - {{- end }} - {{- if .Values.metrics.customLivenessProbe }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }} - {{- else if .Values.metrics.livenessProbe.enabled }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }} - httpGet: - path: / - port: http-metrics - {{- end }} - {{- if .Values.metrics.customReadinessProbe }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }} - {{- else if .Values.metrics.readinessProbe.enabled }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }} - httpGet: - path: / - port: http-metrics - {{- end }} - {{- end }} - volumeMounts: - - name: empty-dir - mountPath: /tmp - subPath: tmp-dir - {{- if and .Values.auth.usePasswordFiles (or .Values.auth.enablePostgresUser $customUser) }} - - name: postgresql-password - mountPath: /opt/bitnami/postgresql/secrets/ - {{- end }} - {{- if .Values.metrics.customMetrics }} - - name: custom-metrics - mountPath: /conf - readOnly: true - {{- end }} - {{- if .Values.metrics.resources }} - resources: {{- toYaml .Values.metrics.resources | nindent 12 }} - {{- else if ne .Values.metrics.resourcesPreset "none" }} - resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} - {{- end }} - {{- end }} - {{- if .Values.readReplicas.sidecars }} - {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.sidecars "context" $ ) | nindent 8 }} - {{- end }} - volumes: - {{- if .Values.readReplicas.extendedConfiguration }} - - name: postgresql-extended-config - configMap: - name: {{ include "postgresql.v1.readReplicas.extendedConfigmapName" . }} - {{- end }} - {{- if and .Values.auth.usePasswordFiles (or .Values.auth.enablePostgresUser $customUser) }} - - name: postgresql-password - secret: - secretName: {{ include "postgresql.v1.secretName" . }} - {{- end }} - {{- if .Values.tls.enabled }} - - name: raw-certificates - secret: - secretName: {{ include "postgresql.v1.tlsSecretName" . }} - - name: postgresql-certificates - emptyDir: {} - {{- end }} - {{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} - - name: custom-metrics - configMap: - name: {{ printf "%s-metrics" (include "postgresql.v1.readReplica.fullname" .) }} - {{- end }} - {{- if .Values.shmVolume.enabled }} - - name: dshm - emptyDir: - medium: Memory - {{- if .Values.shmVolume.sizeLimit }} - sizeLimit: {{ .Values.shmVolume.sizeLimit }} - {{- end }} - {{- end }} - - name: empty-dir - emptyDir: {} - {{- if .Values.readReplicas.extraVolumes }} - {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extraVolumes "context" $ ) | nindent 8 }} - {{- end }} - {{- if and .Values.readReplicas.persistence.enabled .Values.readReplicas.persistence.existingClaim }} - - name: data - persistentVolumeClaim: - claimName: {{ tpl .Values.readReplicas.persistence.existingClaim $ }} - {{- else if not .Values.readReplicas.persistence.enabled }} - - name: data - emptyDir: {} - {{- else }} - {{- if .Values.readReplicas.persistentVolumeClaimRetentionPolicy.enabled }} - persistentVolumeClaimRetentionPolicy: - whenDeleted: {{ .Values.readReplicas.persistentVolumeClaimRetentionPolicy.whenDeleted }} - whenScaled: {{ .Values.readReplicas.persistentVolumeClaimRetentionPolicy.whenScaled }} - {{- end }} - volumeClaimTemplates: - - apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - name: data - {{- if .Values.readReplicas.persistence.annotations }} - annotations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.annotations "context" $) | nindent 10 }} - {{- end }} - {{- if .Values.readReplicas.persistence.labels }} - labels: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.labels "context" $) | nindent 10 }} - {{- end }} - spec: - accessModes: - {{- range .Values.readReplicas.persistence.accessModes }} - - {{ . | quote }} - {{- end }} - {{- if .Values.readReplicas.persistence.dataSource }} - dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.dataSource "context" $) | nindent 10 }} - {{- end }} - resources: - requests: - storage: {{ .Values.readReplicas.persistence.size | quote }} - {{- if .Values.readReplicas.persistence.selector }} - selector: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.selector "context" $) | nindent 10 }} - {{- end -}} - {{- include "common.storage.class" (dict "persistence" .Values.readReplicas.persistence "global" .Values.global) | nindent 8 }} - {{- end }} -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/read/svc-headless.yaml b/charts/gitea-bitnami/charts/postgresql/templates/read/svc-headless.yaml deleted file mode 100644 index 15342a3..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/read/svc-headless.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if eq .Values.architecture "replication" }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "postgresql.v1.readReplica.svc.headless" . }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: read - annotations: - {{- if or .Values.readReplicas.service.headless.annotations .Values.commonAnnotations }} - {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.service.headless.annotations .Values.commonAnnotations ) "context" . ) }} - {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} - {{- end }} -spec: - type: ClusterIP - clusterIP: None - # We want all pods in the StatefulSet to have their addresses published for - # the sake of the other Postgresql pods even before they're ready, since they - # have to be able to talk to each other in order to become ready. - publishNotReadyAddresses: true - ports: - - name: tcp-postgresql - port: {{ include "postgresql.v1.readReplica.service.port" . }} - targetPort: tcp-postgresql - {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }} - selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: read -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/read/svc.yaml b/charts/gitea-bitnami/charts/postgresql/templates/read/svc.yaml deleted file mode 100644 index 7ebace3..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/read/svc.yaml +++ /dev/null @@ -1,60 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if eq .Values.architecture "replication" }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "postgresql.v1.readReplica.fullname" . }} - namespace: {{ include "common.names.namespace" . | quote }} - {{- $labels := .Values.commonLabels }} - {{- if .Values.readReplicas.service.labels }} - {{- $labels = include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.service.labels $labels ) "context" . ) }} - {{- end }} - labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: read - {{- if or .Values.commonAnnotations .Values.readReplicas.service.annotations }} - {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.service.annotations .Values.commonAnnotations ) "context" . ) }} - annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} - {{- end }} -spec: - type: {{ .Values.readReplicas.service.type }} - {{- if or (eq .Values.readReplicas.service.type "LoadBalancer") (eq .Values.readReplicas.service.type "NodePort") }} - externalTrafficPolicy: {{ .Values.readReplicas.service.externalTrafficPolicy | quote }} - {{- end }} - {{- if and (eq .Values.readReplicas.service.type "LoadBalancer") (not (empty .Values.readReplicas.service.loadBalancerSourceRanges)) }} - loadBalancerSourceRanges: {{ .Values.readReplicas.service.loadBalancerSourceRanges }} - {{- end }} - {{- if and (eq .Values.readReplicas.service.type "LoadBalancer") (not (empty .Values.readReplicas.service.loadBalancerClass)) }} - loadBalancerClass: {{ .Values.readReplicas.service.loadBalancerClass }} - {{- end }} - {{- if and (eq .Values.readReplicas.service.type "LoadBalancer") (not (empty .Values.readReplicas.service.loadBalancerIP)) }} - loadBalancerIP: {{ .Values.readReplicas.service.loadBalancerIP }} - {{- end }} - {{- if and .Values.readReplicas.service.clusterIP (eq .Values.readReplicas.service.type "ClusterIP") }} - clusterIP: {{ .Values.readReplicas.service.clusterIP }} - {{- end }} - {{- if .Values.readReplicas.service.sessionAffinity }} - sessionAffinity: {{ .Values.readReplicas.service.sessionAffinity }} - {{- end }} - {{- if .Values.readReplicas.service.sessionAffinityConfig }} - sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.sessionAffinityConfig "context" $) | nindent 4 }} - {{- end }} - ports: - - name: tcp-postgresql - port: {{ include "postgresql.v1.readReplica.service.port" . }} - targetPort: tcp-postgresql - {{- if and (or (eq .Values.readReplicas.service.type "NodePort") (eq .Values.readReplicas.service.type "LoadBalancer")) (not (empty .Values.readReplicas.service.nodePorts.postgresql)) }} - nodePort: {{ .Values.readReplicas.service.nodePorts.postgresql }} - {{- else if eq .Values.readReplicas.service.type "ClusterIP" }} - nodePort: null - {{- end }} - {{- if .Values.readReplicas.service.extraPorts }} - {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.extraPorts "context" $) | nindent 4 }} - {{- end }} - {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }} - selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} - app.kubernetes.io/component: read -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/role.yaml b/charts/gitea-bitnami/charts/postgresql/templates/role.yaml deleted file mode 100644 index 86ce182..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/role.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if .Values.rbac.create }} -kind: Role -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -# yamllint disable rule:indentation -rules: - {{- if and (include "common.capabilities.psp.supported" .) .Values.psp.create }} - - apiGroups: - - 'policy' - resources: - - 'podsecuritypolicies' - verbs: - - 'use' - resourceNames: - - {{ include "common.names.fullname" . }} - {{- end }} - {{- if .Values.rbac.rules }} - {{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }} - {{- end }} -# yamllint enable rule:indentation -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/rolebinding.yaml b/charts/gitea-bitnami/charts/postgresql/templates/rolebinding.yaml deleted file mode 100644 index 58c5ef2..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/rolebinding.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if .Values.rbac.create }} -kind: RoleBinding -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -roleRef: - kind: Role - name: {{ include "common.names.fullname" . }} - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "postgresql.v1.serviceAccountName" . }} - namespace: {{ include "common.names.namespace" . | quote }} -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/secrets.yaml b/charts/gitea-bitnami/charts/postgresql/templates/secrets.yaml deleted file mode 100644 index a41a73a..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/secrets.yaml +++ /dev/null @@ -1,120 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- $host := include "postgresql.v1.primary.fullname" . }} -{{- $port := include "postgresql.v1.service.port" . }} -{{- $customUser := include "postgresql.v1.username" . }} -{{- $postgresPassword := (ternary (coalesce .Values.global.postgresql.auth.password .Values.auth.password .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (coalesce .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (or (empty $customUser) (eq $customUser "postgres"))) }} -{{- if (not $postgresPassword) }} -{{- $postgresPassword = include "common.secrets.lookup" (dict "secret" (include "postgresql.v1.secretName" .) "key" (coalesce .Values.global.postgresql.auth.secretKeys.adminPasswordKey .Values.auth.secretKeys.adminPasswordKey) "defaultValue" (ternary (coalesce .Values.global.postgresql.auth.password .Values.auth.password .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (coalesce .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (or (empty $customUser) (eq $customUser "postgres"))) "context" $) | trimAll "\"" | b64dec }} -{{- end }} -{{- if and (not $postgresPassword) .Values.auth.enablePostgresUser }} -{{- $postgresPassword = randAlphaNum 10 }} -{{- end }} -{{- $replicationPassword := "" }} -{{- if eq .Values.architecture "replication" }} -{{- $replicationPassword = include "common.secrets.passwords.manage" (dict "secret" (include "postgresql.v1.secretName" .) "key" (coalesce .Values.global.postgresql.auth.secretKeys.replicationPasswordKey .Values.auth.secretKeys.replicationPasswordKey) "providedValues" (list "auth.replicationPassword") "honorProvidedValues" true "context" $) | trimAll "\"" | b64dec }} -{{- end }} -{{- $ldapPassword := "" }} -{{- if and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw) }} -{{- $ldapPassword = coalesce .Values.ldap.bind_password .Values.ldap.bindpw }} -{{- end }} -{{- $password := "" }} -{{- if and (not (empty $customUser)) (ne $customUser "postgres") }} -{{- $password = include "common.secrets.passwords.manage" (dict "secret" (include "postgresql.v1.secretName" .) "key" (coalesce .Values.global.postgresql.auth.secretKeys.userPasswordKey .Values.auth.secretKeys.userPasswordKey) "providedValues" (list "global.postgresql.auth.password" "auth.password") "honorProvidedValues" true "context" $) | trimAll "\"" | b64dec }} -{{- end }} -{{- $database := include "postgresql.v1.database" . }} -{{- if (include "postgresql.v1.createSecret" .) }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if or .Values.secretAnnotations .Values.commonAnnotations }} - annotations: - {{- if .Values.secretAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.secretAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -type: Opaque -data: - {{- if $postgresPassword }} - postgres-password: {{ $postgresPassword | b64enc | quote }} - {{- end }} - {{- if $password }} - password: {{ $password | b64enc | quote }} - {{- end }} - {{- if $replicationPassword }} - replication-password: {{ $replicationPassword | b64enc | quote }} - {{- end }} - # We don't auto-generate LDAP password when it's not provided as we do for other passwords - {{- if and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw) }} - ldap-password: {{ $ldapPassword | b64enc | quote }} - {{- end }} -{{- end }} -{{- if .Values.serviceBindings.enabled }} -{{- if $postgresPassword }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.names.fullname" . }}-svcbind-postgres - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if or .Values.secretAnnotations .Values.commonAnnotations }} - annotations: - {{- if .Values.secretAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.secretAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -type: servicebinding.io/postgresql -data: - provider: {{ print "bitnami" | b64enc | quote }} - type: {{ print "postgresql" | b64enc | quote }} - host: {{ $host | b64enc | quote }} - port: {{ $port | b64enc | quote }} - username: {{ print "postgres" | b64enc | quote }} - database: {{ print "postgres" | b64enc | quote }} - password: {{ $postgresPassword | b64enc | quote }} - uri: {{ printf "postgresql://postgres:%s@%s:%s/postgres" $postgresPassword $host $port | b64enc | quote }} -{{- end }} -{{- if $password }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.names.fullname" . }}-svcbind-custom-user - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if or .Values.secretAnnotations .Values.commonAnnotations }} - annotations: - {{- if .Values.secretAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.secretAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -type: servicebinding.io/postgresql -data: - provider: {{ print "bitnami" | b64enc | quote }} - type: {{ print "postgresql" | b64enc | quote }} - host: {{ $host | b64enc | quote }} - port: {{ $port | b64enc | quote }} - username: {{ $customUser | b64enc | quote }} - password: {{ $password | b64enc | quote }} - {{- if $database }} - database: {{ $database | b64enc | quote }} - {{- end }} - uri: {{ printf "postgresql://%s:%s@%s:%s/%s" $customUser $password $host $port $database | b64enc | quote }} -{{- end }} -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/serviceaccount.yaml b/charts/gitea-bitnami/charts/postgresql/templates/serviceaccount.yaml deleted file mode 100644 index 3a0ccf0..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/serviceaccount.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if .Values.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "postgresql.v1.serviceAccountName" . }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }} - {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} - annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} - {{- end }} -automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/tls-secrets.yaml b/charts/gitea-bitnami/charts/postgresql/templates/tls-secrets.yaml deleted file mode 100644 index d6be0f3..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/tls-secrets.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if (include "postgresql.v1.createTlsSecret" . ) }} -{{- $secretName := printf "%s-crt" (include "common.names.fullname" .) }} -{{- $ca := genCA "postgresql-ca" 365 }} -{{- $fullname := include "common.names.fullname" . }} -{{- $releaseNamespace := include "common.names.namespace" . }} -{{- $clusterDomain := .Values.clusterDomain }} -{{- $primaryHeadlessServiceName := include "postgresql.v1.primary.svc.headless" . }} -{{- $readHeadlessServiceName := include "postgresql.v1.readReplica.svc.headless" . }} -{{- $altNames := list (printf "*.%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $primaryHeadlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $primaryHeadlessServiceName $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $readHeadlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $readHeadlessServiceName $releaseNamespace $clusterDomain) $fullname }} -{{- $cert := genSignedCert $fullname nil $altNames 365 $ca }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ $secretName }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -type: kubernetes.io/tls -data: - tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }} - tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }} - ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }} -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/update-password/job.yaml b/charts/gitea-bitnami/charts/postgresql/templates/update-password/job.yaml deleted file mode 100644 index 9eaba87..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/update-password/job.yaml +++ /dev/null @@ -1,235 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if .Values.passwordUpdateJob.enabled }} -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ printf "%s-password-update" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - app.kubernetes.io/part-of: postgresql - app.kubernetes.io/component: update-job - {{- $defaultAnnotations := dict "helm.sh/hook" "pre-upgrade" "helm.sh/hook-delete-policy" "hook-succeeded" }} - {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonAnnotations $defaultAnnotations ) "context" . ) }} - annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} -spec: - backoffLimit: {{ .Values.passwordUpdateJob.backoffLimit }} - template: - metadata: - {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.passwordUpdateJob.podLabels .Values.commonLabels ) "context" . ) }} - labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} - app.kubernetes.io/part-of: postgresql - app.kubernetes.io/component: update-job - {{- if .Values.passwordUpdateJob.podAnnotations }} - annotations: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.podAnnotations "context" $) | nindent 8 }} - {{- end }} - spec: - {{- include "postgresql.v1.imagePullSecrets" . | nindent 6 }} - restartPolicy: OnFailure - {{- if .Values.passwordUpdateJob.podSecurityContext.enabled }} - securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.passwordUpdateJob.podSecurityContext "context" $) | nindent 8 }} - {{- end }} - automountServiceAccountToken: {{ .Values.passwordUpdateJob.automountServiceAccountToken }} - {{- if .Values.passwordUpdateJob.hostAliases }} - hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.hostAliases "context" $) | nindent 8 }} - {{- end }} - initContainers: - {{- if .Values.passwordUpdateJob.initContainers }} - {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.initContainers "context" $) | nindent 8 }} - {{- end }} - containers: - - name: update-credentials - image: {{ template "postgresql.v1.image" . }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if .Values.passwordUpdateJob.command }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.command "context" $) | nindent 12 }} - {{- else }} - command: - - /bin/bash - - -ec - {{- end }} - {{- if .Values.passwordUpdateJob.args }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.args "context" $) | nindent 12 }} - {{- else }} - args: - - | - {{- $customUser := include "postgresql.v1.username" . }} - {{- $customDatabase := include "postgresql.v1.database" . | default "postgres" }} - {{- if .Values.auth.usePasswordFiles }} - # We need to load all the secret env vars to the system - for file in $(find /bitnami/postgresql/secrets -type f); do - env_var_name="$(basename $file)" - echo "Exporting $env_var_name" - export $env_var_name="$(< $file)" - done - {{- end }} - - . /opt/bitnami/scripts/postgresql-env.sh - . /opt/bitnami/scripts/libpostgresql.sh - . /opt/bitnami/scripts/liblog.sh - - primary_host={{ include "postgresql.v1.primary.fullname" . }}-0.{{ include "postgresql.v1.primary.svc.headless" . }} - info "Starting password update job" - {{- if .Values.auth.enablePostgresUser }} - if [[ -f /job-status/postgres-password-changed ]]; then - info "Postgres password already updated. Skipping" - else - info "Updating postgres password" - echo "ALTER USER postgres WITH PASSWORD '$POSTGRESQL_NEW_POSTGRES_PASSWORD';" | postgresql_remote_execute $primary_host {{ .Values.containerPorts.postgresql }} "" postgres $POSTGRESQL_PREVIOUS_POSTGRES_PASSWORD - touch /job-status/postgres-password-changed - info "Postgres password successfully updated" - fi - {{- end }} - {{- if and (not (empty $customUser)) (ne $customUser "postgres") }} - if [[ -f /job-status/password-changed ]]; then - info "User password already updated. Skipping" - else - info "Updating user password" - echo "ALTER USER {{ $customUser }} WITH PASSWORD '$POSTGRESQL_NEW_PASSWORD';" | postgresql_remote_execute $primary_host {{ .Values.containerPorts.postgresql }} "{{ $customDatabase }}" $POSTGRESQL_USER $POSTGRESQL_PREVIOUS_PASSWORD - touch /job-status/password-changed - info "User password successfully updated" - fi - {{- end }} - {{- if or (eq .Values.architecture "replication") .Values.primary.standby.enabled }} - if [[ -f /job-status/replication-password-changed ]]; then - info "Replication password already updated. Skipping" - else - info "Updating replication password" - echo "ALTER USER $POSTGRESQL_REPLICATION_USER WITH PASSWORD '$POSTGRESQL_NEW_REPLICATION_PASSWORD';" | postgresql_remote_execute $primary_host {{ .Values.containerPorts.postgresql }} "{{ $customDatabase }}" $POSTGRESQL_REPLICATION_USER $POSTGRESQL_PREVIOUS_REPLICATION_PASSWORD - touch /job-status/replication-password-changed - info "Replication password successfully updated" - fi - {{- end }} - {{- if .Values.passwordUpdateJob.extraCommands }} - info "Running extra commmands" - {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.extraCommands "context" $) | nindent 14 }} - {{- end }} - info "Password update job finished successfully" - {{- end }} - env: - - name: BITNAMI_DEBUG - value: {{ ternary "true" "false" .Values.image.debug | quote }} - {{- if not .Values.auth.usePasswordFiles }} - - name: POSTGRESQL_PREVIOUS_POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "postgresql.v1.update-job.previousSecretName" . }} - key: {{ include "postgresql.v1.adminPasswordKey" . }} - - name: POSTGRESQL_NEW_POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "postgresql.v1.update-job.newSecretName" . }} - key: {{ include "postgresql.v1.adminPasswordKey" . }} - {{- end }} - {{- if not (empty .Values.auth.username) }} - - name: POSTGRESQL_USER - value: {{ .Values.auth.username | quote }} - {{- if not .Values.auth.usePasswordFiles }} - - name: POSTGRESQL_PREVIOUS_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "postgresql.v1.update-job.previousSecretName" . }} - key: {{ include "postgresql.v1.userPasswordKey" . }} - - name: POSTGRESQL_NEW_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "postgresql.v1.update-job.newSecretName" . }} - key: {{ include "postgresql.v1.userPasswordKey" . }} - {{- end }} - {{- end }} - {{- if eq .Values.architecture "replication" }} - - name: POSTGRESQL_REPLICATION_USER - value: {{ .Values.auth.replicationUsername | quote }} - {{- if not .Values.auth.usePasswordFiles }} - - name: POSTGRESQL_PREVIOUS_REPLICATION_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "postgresql.v1.update-job.previousSecretName" . }} - key: {{ include "postgresql.v1.replicationPasswordKey" . }} - - name: POSTGRESQL_NEW_REPLICATION_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "postgresql.v1.update-job.newSecretName" . }} - key: {{ include "postgresql.v1.replicationPasswordKey" . }} - {{- end }} - {{- end }} - {{- if .Values.passwordUpdateJob.extraEnvVars }} - {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.extraEnvVars "context" $) | nindent 12 }} - {{- end }} - {{- if or .Values.passwordUpdateJob.extraEnvVarsCM .Values.passwordUpdateJob.extraEnvVarsSecret }} - envFrom: - {{- if .Values.passwordUpdateJob.extraEnvVarsCM }} - - configMapRef: - name: {{ .Values.passwordUpdateJob.extraEnvVarsCM }} - {{- end }} - {{- if .Values.passwordUpdateJob.extraEnvVarsSecret }} - - secretRef: - name: {{ .Values.passwordUpdateJob.extraEnvVarsSecret }} - {{- end }} - {{- end }} - {{- if .Values.passwordUpdateJob.containerSecurityContext.enabled }} - securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.passwordUpdateJob.containerSecurityContext "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.passwordUpdateJob.customLivenessProbe }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.customLivenessProbe "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.passwordUpdateJob.customReadinessProbe }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.customReadinessProbe "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.passwordUpdateJob.customStartupProbe }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.customStartupProbe "context" $) | nindent 12 }} - {{- end }} - volumeMounts: - - name: empty-dir - mountPath: /job-status - subPath: job-dir - {{- if .Values.auth.usePasswordFiles }} - - name: postgresql-previous-credentials - mountPath: /bitnami/postgresql/secrets/previous - - name: postgresql-new-credentials - mountPath: /bitnami/postgresql/secrets/new - {{- end }} - {{- if .Values.passwordUpdateJob.extraVolumeMounts }} - {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.extraVolumeMounts "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.passwordUpdateJob.resources }} - resources: {{- toYaml .Values.passwordUpdateJob.resources | nindent 12 }} - {{- else if ne .Values.passwordUpdateJob.resourcesPreset "none" }} - resources: {{- include "common.resources.preset" (dict "type" .Values.passwordUpdateJob.resourcesPreset) | nindent 12 }} - {{- end }} - volumes: - - name: empty-dir - emptyDir: {} - {{- if .Values.auth.usePasswordFiles }} - - name: postgresql-previous-credentials - secret: - secretName: {{ template "postgresql.update-job.previousSecretName" . }} - items: - - key: postgresql-root-password - path: POSTGRESQL_PREVIOUS_POSTGRES_PASSWORD - - key: postgresql-password - path: POSTGRESQL_PREVIOUS_PASSWORD - {{- if eq .Values.architecture "replication" }} - - key: postgresql-replication-password - path: POSTGRESQL_PREVIOUS_REPLICATION_PASSWORD - {{- end }} - - name: postgresql-new-credentials - secret: - secretName: {{ template "postgresql.update-job.newSecretName" . }} - items: - - key: postgresql-root-password - path: POSTGRESQL_NEW_POSTGRES_PASSWORD - - key: postgresql-password - path: POSTGRESQL_NEW_PASSWORD - {{- if eq .Values.architecture "replication" }} - - key: postgresql-replication-password - path: POSTGRESQL_NEW_REPLICATION_PASSWORD - {{- end }} - {{- end }} - {{- if .Values.passwordUpdateJob.extraVolumes }} - {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.extraVolumes "context" $) | nindent 8 }} - {{- end }} -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/update-password/new-secret.yaml b/charts/gitea-bitnami/charts/postgresql/templates/update-password/new-secret.yaml deleted file mode 100644 index ab1eacf..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/update-password/new-secret.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.passwordUpdateJob.enabled (include "postgresql.v1.createSecret" .) (not ( include "postgresql.v1.createPreviousSecret" . )) (not .Values.passwordUpdateJob.previousPasswords.existingSecret) }} -{{- $customUser := include "postgresql.v1.username" . }} -{{- $postgresPassword := (ternary (coalesce .Values.global.postgresql.auth.password .Values.auth.password .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (coalesce .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (or (empty $customUser) (eq $customUser "postgres"))) }} -{{- $password := coalesce .Values.global.postgresql.auth.password .Values.auth.password }} -{{- $replicationPassword := .Values.auth.replicationPassword }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ printf "%s-new-secret" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - app.kubernetes.io/part-of: postgresql - {{- $defaultAnnotations := dict "helm.sh/hook" "pre-upgrade" "helm.sh/hook-delete-policy" "hook-succeeded" }} - {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonAnnotations $defaultAnnotations ) "context" . ) }} - annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} -type: Opaque -data: - {{- if .Values.auth.enablePostgresUser }} - postgres-password: {{ required "The new postgres password is required!" $postgresPassword | b64enc | quote }} - {{- end }} - {{- if and (not (empty $customUser)) (ne $customUser "postgres") }} - password: {{ required "The new user password is required!" $password | b64enc | quote }} - {{- end }} - {{- if or (eq .Values.architecture "replication") .Values.primary.standby.enabled }} - replication-password: {{ required "The new replication password is required!" $replicationPassword | b64enc | quote }} - {{- end }} -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/templates/update-password/previous-secret.yaml b/charts/gitea-bitnami/charts/postgresql/templates/update-password/previous-secret.yaml deleted file mode 100644 index aac8564..0000000 --- a/charts/gitea-bitnami/charts/postgresql/templates/update-password/previous-secret.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.passwordUpdateJob.enabled (include "postgresql.v1.createPreviousSecret" .) }} -{{- $customUser := include "postgresql.v1.username" . }} -{{- $postgresPassword := .Values.passwordUpdateJob.previousPasswords.postgresPassword }} -{{- $password := .Values.passwordUpdateJob.previousPasswords.password }} -{{- $replicationPassword := .Values.passwordUpdateJob.previousPasswords.replicationPassword }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ printf "%s-previous-secret" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - app.kubernetes.io/part-of: postgresql - {{- $defaultAnnotations := dict "helm.sh/hook" "pre-upgrade" "helm.sh/hook-delete-policy" "hook-succeeded" }} - {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonAnnotations $defaultAnnotations ) "context" . ) }} - annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} -type: Opaque -data: - {{- if .Values.auth.enablePostgresUser }} - postgres-password: {{ required "The previous postgres password is required!" $postgresPassword | b64enc | quote }} - {{- end }} - {{- if and (not (empty $customUser)) (ne $customUser "postgres") }} - password: {{ required "The previous user password is required!" $password | b64enc | quote }} - {{- end }} - {{- if or (eq .Values.architecture "replication") .Values.primary.standby.enabled }} - replication-password: {{ required "The previous replication password is required!" $replicationPassword | b64enc | quote }} - {{- end }} -{{- end }} diff --git a/charts/gitea-bitnami/charts/postgresql/values.schema.json b/charts/gitea-bitnami/charts/postgresql/values.schema.json deleted file mode 100644 index fc41483..0000000 --- a/charts/gitea-bitnami/charts/postgresql/values.schema.json +++ /dev/null @@ -1,156 +0,0 @@ -{ - "$schema": "http://json-schema.org/schema#", - "type": "object", - "properties": { - "architecture": { - "type": "string", - "title": "PostgreSQL architecture", - "form": true, - "description": "Allowed values: `standalone` or `replication`" - }, - "auth": { - "type": "object", - "title": "Authentication configuration", - "form": true, - "properties": { - "enablePostgresUser": { - "type": "boolean", - "title": "Enable \"postgres\" admin user", - "description": "Assign a password to the \"postgres\" admin user. Otherwise, remote access will be blocked for this user", - "form": true - }, - "postgresPassword": { - "type": "string", - "title": "Password for the \"postgres\" admin user", - "description": "Defaults to a random 10-character alphanumeric string if not set", - "form": true - }, - "database": { - "type": "string", - "title": "PostgreSQL custom database", - "description": "Name of the custom database to be created during the 1st initialization of PostgreSQL", - "form": true - }, - "username": { - "type": "string", - "title": "PostgreSQL custom user", - "description": "Name of the custom user to be created during the 1st initialization of PostgreSQL. This user only has permissions on the PostgreSQL custom database", - "form": true - }, - "password": { - "type": "string", - "title": "Password for the custom user to create", - "description": "Defaults to a random 10-character alphanumeric string if not set", - "form": true - }, - "replicationUsername": { - "type": "string", - "title": "PostgreSQL replication user", - "description": "Name of user used to manage replication.", - "form": true, - "hidden": { - "value": "standalone", - "path": "architecture" - } - }, - "replicationPassword": { - "type": "string", - "title": "Password for PostgreSQL replication user", - "description": "Defaults to a random 10-character alphanumeric string if not set", - "form": true, - "hidden": { - "value": "standalone", - "path": "architecture" - } - } - } - }, - "persistence": { - "type": "object", - "properties": { - "size": { - "type": "string", - "title": "Persistent Volume Size", - "form": true, - "render": "slider", - "sliderMin": 1, - "sliderMax": 100, - "sliderUnit": "Gi" - } - } - }, - "resources": { - "type": "object", - "title": "Required Resources", - "description": "Configure resource requests", - "form": true, - "properties": { - "requests": { - "type": "object", - "properties": { - "memory": { - "type": "string", - "form": true, - "render": "slider", - "title": "Memory Request", - "sliderMin": 10, - "sliderMax": 2048, - "sliderUnit": "Mi" - }, - "cpu": { - "type": "string", - "form": true, - "render": "slider", - "title": "CPU Request", - "sliderMin": 10, - "sliderMax": 2000, - "sliderUnit": "m" - } - } - } - } - }, - "replication": { - "type": "object", - "form": true, - "title": "Replication Details", - "properties": { - "enabled": { - "type": "boolean", - "title": "Enable Replication", - "form": true - }, - "readReplicas": { - "type": "integer", - "title": "read Replicas", - "form": true, - "hidden": { - "value": "standalone", - "path": "architecture" - } - } - } - }, - "volumePermissions": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "form": true, - "title": "Enable Init Containers", - "description": "Change the owner of the persist volume mountpoint to RunAsUser:fsGroup" - } - } - }, - "metrics": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "title": "Configure metrics exporter", - "form": true - } - } - } - } -} diff --git a/charts/gitea-bitnami/charts/postgresql/values.yaml b/charts/gitea-bitnami/charts/postgresql/values.yaml deleted file mode 100644 index bd395d8..0000000 --- a/charts/gitea-bitnami/charts/postgresql/values.yaml +++ /dev/null @@ -1,1930 +0,0 @@ -# Copyright Broadcom, Inc. All Rights Reserved. -# SPDX-License-Identifier: APACHE-2.0 - -## @section Global parameters -## Please, note that this will override the parameters, including dependencies, configured to use the global value -## -global: - ## @param global.imageRegistry Global Docker image registry - ## - imageRegistry: "" - ## @param global.imagePullSecrets Global Docker registry secret names as an array - ## e.g. - ## imagePullSecrets: - ## - myRegistryKeySecretName - ## - imagePullSecrets: [] - ## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s) -## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead - ## - defaultStorageClass: "" - storageClass: "" - ## Security parameters - ## - security: - ## @param global.security.allowInsecureImages Allows skipping image verification - allowInsecureImages: false - postgresql: - ## @param global.postgresql.auth.postgresPassword Password for the "postgres" admin user (overrides `auth.postgresPassword`) - ## @param global.postgresql.auth.username Name for a custom user to create (overrides `auth.username`) - ## @param global.postgresql.auth.password Password for the custom user to create (overrides `auth.password`) - ## @param global.postgresql.auth.database Name for a custom database to create (overrides `auth.database`) - ## @param global.postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`). - ## @param global.postgresql.auth.secretKeys.adminPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. - ## @param global.postgresql.auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. - ## @param global.postgresql.auth.secretKeys.replicationPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. - ## - auth: - postgresPassword: "" - username: "" - password: "" - database: "" - existingSecret: "" - secretKeys: - adminPasswordKey: "" - userPasswordKey: "" - replicationPasswordKey: "" - ## @param global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`) - ## - service: - ports: - postgresql: "" - ## Compatibility adaptations for Kubernetes platforms - ## - compatibility: - ## Compatibility adaptations for Openshift - ## - openshift: - ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) - ## - adaptSecurityContext: auto -## @section Common parameters -## - -## @param kubeVersion Override Kubernetes version -## -kubeVersion: "" -## @param nameOverride String to partially override common.names.fullname template (will maintain the release name) -## -nameOverride: "" -## @param fullnameOverride String to fully override common.names.fullname template -## -fullnameOverride: "" -## @param namespaceOverride String to fully override common.names.namespace -## -namespaceOverride: "" -## @param clusterDomain Kubernetes Cluster Domain -## -clusterDomain: cluster.local -## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template) -## -extraDeploy: [] -## @param commonLabels Add labels to all the deployed resources -## -commonLabels: {} -## @param commonAnnotations Add annotations to all the deployed resources -## -commonAnnotations: {} -## @param secretAnnotations Add annotations to the secrets -## -secretAnnotations: {} -## Enable diagnostic mode in the statefulset -## -diagnosticMode: - ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) - ## - enabled: false - ## @param diagnosticMode.command Command to override all containers in the statefulset - ## - command: - - sleep - ## @param diagnosticMode.args Args to override all containers in the statefulset - ## - args: - - infinity -## @section PostgreSQL common parameters -## - -## Bitnami PostgreSQL image version -## ref: https://hub.docker.com/r/bitnami/postgresql/tags/ -## @param image.registry [default: REGISTRY_NAME] PostgreSQL image registry -## @param image.repository [default: REPOSITORY_NAME/postgresql] PostgreSQL image repository -## @skip image.tag PostgreSQL image tag (immutable tags are recommended) -## @param image.digest PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag -## @param image.pullPolicy PostgreSQL image pull policy -## @param image.pullSecrets Specify image pull secrets -## @param image.debug Specify if debug values should be set -## -image: - registry: docker.io - repository: bitnami/postgresql - tag: 17.4.0-debian-12-r14 - digest: "" - ## Specify a imagePullPolicy - ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## Example: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## Set to true if you would like to see extra information on logs - ## - debug: false -## Authentication parameters -## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#setting-the-root-password-on-first-run -## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#creating-a-database-on-first-run -## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#creating-a-database-user-on-first-run -## -auth: - ## @param auth.enablePostgresUser Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user - ## - enablePostgresUser: true - ## @param auth.postgresPassword Password for the "postgres" admin user. Ignored if `auth.existingSecret` is provided - ## - postgresPassword: "" - ## @param auth.username Name for a custom user to create - ## - username: "" - ## @param auth.password Password for the custom user to create. Ignored if `auth.existingSecret` is provided - ## - password: "" - ## @param auth.database Name for a custom database to create - ## - database: "" - ## @param auth.replicationUsername Name of the replication user - ## - replicationUsername: repl_user - ## @param auth.replicationPassword Password for the replication user. Ignored if `auth.existingSecret` is provided - ## - replicationPassword: "" - ## @param auth.existingSecret Name of existing secret to use for PostgreSQL credentials. `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret. The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and picked from this secret in this case. - ## - existingSecret: "" - ## @param auth.secretKeys.adminPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. - ## @param auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. - ## @param auth.secretKeys.replicationPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. - ## - secretKeys: - adminPasswordKey: postgres-password - userPasswordKey: password - replicationPasswordKey: replication-password - ## @param auth.usePasswordFiles Mount credentials as a files instead of using an environment variable - ## - usePasswordFiles: true -## @param architecture PostgreSQL architecture (`standalone` or `replication`) -## -architecture: standalone -## Replication configuration -## Ignored if `architecture` is `standalone` -## -replication: - ## @param replication.synchronousCommit Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` - ## @param replication.numSynchronousReplicas Number of replicas that will have synchronous replication. Note: Cannot be greater than `readReplicas.replicaCount`. - ## ref: https://www.postgresql.org/docs/current/runtime-config-wal.html#GUC-SYNCHRONOUS-COMMIT - ## - synchronousCommit: "off" - numSynchronousReplicas: 0 - ## @param replication.applicationName Cluster application name. Useful for advanced replication settings - ## - applicationName: my_application -## @param containerPorts.postgresql PostgreSQL container port -## -containerPorts: - postgresql: 5432 -## Audit settings -## https://github.com/bitnami/containers/tree/main/bitnami/postgresql#auditing -## @param audit.logHostname Log client hostnames -## @param audit.logConnections Add client log-in operations to the log file -## @param audit.logDisconnections Add client log-outs operations to the log file -## @param audit.pgAuditLog Add operations to log using the pgAudit extension -## @param audit.pgAuditLogCatalog Log catalog using pgAudit -## @param audit.clientMinMessages Message log level to share with the user -## @param audit.logLinePrefix Template for log line prefix (default if not set) -## @param audit.logTimezone Timezone for the log timestamps -## -audit: - logHostname: false - logConnections: false - logDisconnections: false - pgAuditLog: "" - pgAuditLogCatalog: "off" - clientMinMessages: error - logLinePrefix: "" - logTimezone: "" -## LDAP configuration -## @param ldap.enabled Enable LDAP support -## @param ldap.server IP address or name of the LDAP server. -## @param ldap.port Port number on the LDAP server to connect to -## @param ldap.prefix String to prepend to the user name when forming the DN to bind -## @param ldap.suffix String to append to the user name when forming the DN to bind -## DEPRECATED ldap.baseDN It will removed in a future, please use 'ldap.basedn' instead -## DEPRECATED ldap.bindDN It will removed in a future, please use 'ldap.binddn' instead -## DEPRECATED ldap.bind_password It will removed in a future, please use 'ldap.bindpw' instead -## @param ldap.basedn Root DN to begin the search for the user in -## @param ldap.binddn DN of user to bind to LDAP -## @param ldap.bindpw Password for the user to bind to LDAP -## DEPRECATED ldap.search_attr It will removed in a future, please use 'ldap.searchAttribute' instead -## DEPRECATED ldap.search_filter It will removed in a future, please use 'ldap.searchFilter' instead -## @param ldap.searchAttribute Attribute to match against the user name in the search -## @param ldap.searchFilter The search filter to use when doing search+bind authentication -## @param ldap.scheme Set to `ldaps` to use LDAPS -## DEPRECATED ldap.tls as string is deprecated, please use 'ldap.tls.enabled' instead -## @param ldap.tls.enabled Se to true to enable TLS encryption -## -ldap: - enabled: false - server: "" - port: "" - prefix: "" - suffix: "" - basedn: "" - binddn: "" - bindpw: "" - searchAttribute: "" - searchFilter: "" - scheme: "" - tls: - enabled: false - ## @param ldap.uri LDAP URL beginning in the form `ldap[s]://host[:port]/basedn`. If provided, all the other LDAP parameters will be ignored. - ## Ref: https://www.postgresql.org/docs/current/auth-ldap.html - ## - uri: "" -## @param postgresqlDataDir PostgreSQL data dir folder -## -postgresqlDataDir: /bitnami/postgresql/data -## @param postgresqlSharedPreloadLibraries Shared preload libraries (comma-separated list) -## -postgresqlSharedPreloadLibraries: "pgaudit" -## Start PostgreSQL pod(s) without limitations on shm memory. -## By default docker and containerd (and possibly other container runtimes) limit `/dev/shm` to `64M` -## ref: https://github.com/docker-library/postgres/issues/416 -## ref: https://github.com/containerd/containerd/issues/3654 -## -shmVolume: - ## @param shmVolume.enabled Enable emptyDir volume for /dev/shm for PostgreSQL pod(s) - ## - enabled: true - ## @param shmVolume.sizeLimit Set this to enable a size limit on the shm tmpfs - ## Note: the size of the tmpfs counts against container's memory limit - ## e.g: - ## sizeLimit: 1Gi - ## - sizeLimit: "" -## TLS configuration -## -tls: - ## @param tls.enabled Enable TLS traffic support - ## - enabled: false - ## @param tls.autoGenerated Generate automatically self-signed TLS certificates - ## - autoGenerated: false - ## @param tls.preferServerCiphers Whether to use the server's TLS cipher preferences rather than the client's - ## - preferServerCiphers: true - ## @param tls.certificatesSecret Name of an existing secret that contains the certificates - ## - certificatesSecret: "" - ## @param tls.certFilename Certificate filename - ## - certFilename: "" - ## @param tls.certKeyFilename Certificate key filename - ## - certKeyFilename: "" - ## @param tls.certCAFilename CA Certificate filename - ## If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate - ## ref: https://www.postgresql.org/docs/9.6/auth-methods.html - ## - certCAFilename: "" - ## @param tls.crlFilename File containing a Certificate Revocation List - ## - crlFilename: "" -## @section PostgreSQL Primary parameters -## -primary: - ## @param primary.name Name of the primary database (eg primary, master, leader, ...) - ## - name: primary - ## @param primary.configuration PostgreSQL Primary main configuration to be injected as ConfigMap - ## ref: https://www.postgresql.org/docs/current/static/runtime-config.html - ## - configuration: "" - ## @param primary.pgHbaConfiguration PostgreSQL Primary client authentication configuration - ## ref: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html - ## e.g:# - ## pgHbaConfiguration: |- - ## local all all trust - ## host all all localhost trust - ## host mydatabase mysuser 192.168.0.0/24 md5 - ## - pgHbaConfiguration: "" - ## @param primary.existingConfigmap Name of an existing ConfigMap with PostgreSQL Primary configuration - ## NOTE: `primary.configuration` and `primary.pgHbaConfiguration` will be ignored - ## - existingConfigmap: "" - ## @param primary.extendedConfiguration Extended PostgreSQL Primary configuration (appended to main or default configuration) - ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf - ## - extendedConfiguration: "" - ## @param primary.existingExtendedConfigmap Name of an existing ConfigMap with PostgreSQL Primary extended configuration - ## NOTE: `primary.extendedConfiguration` will be ignored - ## - existingExtendedConfigmap: "" - ## Initdb configuration - ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#specifying-initdb-arguments - ## - initdb: - ## @param primary.initdb.args PostgreSQL initdb extra arguments - ## - args: "" - ## @param primary.initdb.postgresqlWalDir Specify a custom location for the PostgreSQL transaction log - ## - postgresqlWalDir: "" - ## @param primary.initdb.scripts Dictionary of initdb scripts - ## Specify dictionary of scripts to be run at first boot - ## e.g: - ## scripts: - ## my_init_script.sh: | - ## #!/bin/sh - ## echo "Do something." - ## - scripts: {} - ## @param primary.initdb.scriptsConfigMap ConfigMap with scripts to be run at first boot - ## NOTE: This will override `primary.initdb.scripts` - ## - scriptsConfigMap: "" - ## @param primary.initdb.scriptsSecret Secret with scripts to be run at first boot (in case it contains sensitive information) - ## NOTE: This can work along `primary.initdb.scripts` or `primary.initdb.scriptsConfigMap` - ## - scriptsSecret: "" - ## @param primary.initdb.user Specify the PostgreSQL username to execute the initdb scripts - ## - user: "" - ## @param primary.initdb.password Specify the PostgreSQL password to execute the initdb scripts - ## - password: "" - ## Pre-init configuration - ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql/#on-container-start - preInitDb: - ## @param primary.preInitDb.scripts Dictionary of pre-init scripts - ## Specify dictionary of shell scripts to be run before db boot - ## e.g: - ## scripts: - ## my_pre_init_script.sh: | - ## #!/bin/sh - ## echo "Do something." - scripts: {} - ## @param primary.preInitDb.scriptsConfigMap ConfigMap with pre-init scripts to be run - ## NOTE: This will override `primary.preInitDb.scripts` - scriptsConfigMap: "" - ## @param primary.preInitDb.scriptsSecret Secret with pre-init scripts to be run - ## NOTE: This can work along `primary.preInitDb.scripts` or `primary.preInitDb.scriptsConfigMap` - scriptsSecret: "" - ## Configure current cluster's primary server to be the standby server in other cluster. - ## This will allow cross cluster replication and provide cross cluster high availability. - ## You will need to configure pgHbaConfiguration if you want to enable this feature with local cluster replication enabled. - ## @param primary.standby.enabled Whether to enable current cluster's primary as standby server of another cluster or not - ## @param primary.standby.primaryHost The Host of replication primary in the other cluster - ## @param primary.standby.primaryPort The Port of replication primary in the other cluster - ## - standby: - enabled: false - primaryHost: "" - primaryPort: "" - ## @param primary.extraEnvVars Array with extra environment variables to add to PostgreSQL Primary nodes - ## e.g: - ## extraEnvVars: - ## - name: FOO - ## value: "bar" - ## - extraEnvVars: [] - ## @param primary.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for PostgreSQL Primary nodes - ## - extraEnvVarsCM: "" - ## @param primary.extraEnvVarsSecret Name of existing Secret containing extra env vars for PostgreSQL Primary nodes - ## - extraEnvVarsSecret: "" - ## @param primary.command Override default container command (useful when using custom images) - ## - command: [] - ## @param primary.args Override default container args (useful when using custom images) - ## - args: [] - ## Configure extra options for PostgreSQL Primary containers' liveness, readiness and startup probes - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes - ## @param primary.livenessProbe.enabled Enable livenessProbe on PostgreSQL Primary containers - ## @param primary.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe - ## @param primary.livenessProbe.periodSeconds Period seconds for livenessProbe - ## @param primary.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe - ## @param primary.livenessProbe.failureThreshold Failure threshold for livenessProbe - ## @param primary.livenessProbe.successThreshold Success threshold for livenessProbe - ## - livenessProbe: - enabled: true - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - ## @param primary.readinessProbe.enabled Enable readinessProbe on PostgreSQL Primary containers - ## @param primary.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe - ## @param primary.readinessProbe.periodSeconds Period seconds for readinessProbe - ## @param primary.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe - ## @param primary.readinessProbe.failureThreshold Failure threshold for readinessProbe - ## @param primary.readinessProbe.successThreshold Success threshold for readinessProbe - ## - readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - ## @param primary.startupProbe.enabled Enable startupProbe on PostgreSQL Primary containers - ## @param primary.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe - ## @param primary.startupProbe.periodSeconds Period seconds for startupProbe - ## @param primary.startupProbe.timeoutSeconds Timeout seconds for startupProbe - ## @param primary.startupProbe.failureThreshold Failure threshold for startupProbe - ## @param primary.startupProbe.successThreshold Success threshold for startupProbe - ## - startupProbe: - enabled: false - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 15 - successThreshold: 1 - ## @param primary.customLivenessProbe Custom livenessProbe that overrides the default one - ## - customLivenessProbe: {} - ## @param primary.customReadinessProbe Custom readinessProbe that overrides the default one - ## - customReadinessProbe: {} - ## @param primary.customStartupProbe Custom startupProbe that overrides the default one - ## - customStartupProbe: {} - ## @param primary.lifecycleHooks for the PostgreSQL Primary container to automate configuration before or after startup - ## - lifecycleHooks: {} - ## PostgreSQL Primary resource requests and limits - ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). - ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 - ## - resourcesPreset: "nano" - ## @param primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) - ## Example: - ## resources: - ## requests: - ## cpu: 2 - ## memory: 512Mi - ## limits: - ## cpu: 3 - ## memory: 1024Mi - ## - resources: {} - ## Pod Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - ## @param primary.podSecurityContext.enabled Enable security context - ## @param primary.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy - ## @param primary.podSecurityContext.sysctls Set kernel settings using the sysctl interface - ## @param primary.podSecurityContext.supplementalGroups Set filesystem extra groups - ## @param primary.podSecurityContext.fsGroup Group ID for the pod - ## - podSecurityContext: - enabled: true - fsGroupChangePolicy: Always - sysctls: [] - supplementalGroups: [] - fsGroup: 1001 - ## Container Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - ## @param primary.containerSecurityContext.enabled Enabled containers' Security Context - ## @param primary.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container - ## @param primary.containerSecurityContext.runAsUser Set containers' Security Context runAsUser - ## @param primary.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup - ## @param primary.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot - ## @param primary.containerSecurityContext.privileged Set container's Security Context privileged - ## @param primary.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem - ## @param primary.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation - ## @param primary.containerSecurityContext.capabilities.drop List of capabilities to be dropped - ## @param primary.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile - ## - containerSecurityContext: - enabled: true - seLinuxOptions: {} - runAsUser: 1001 - runAsGroup: 1001 - runAsNonRoot: true - privileged: false - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - seccompProfile: - type: "RuntimeDefault" - ## @param primary.automountServiceAccountToken Mount Service Account token in pod - ## - automountServiceAccountToken: false - ## @param primary.hostAliases PostgreSQL primary pods host aliases - ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ - ## - hostAliases: [] - ## @param primary.hostNetwork Specify if host network should be enabled for PostgreSQL pod (postgresql primary) - ## - hostNetwork: false - ## @param primary.hostIPC Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) - ## - hostIPC: false - ## @param primary.labels Map of labels to add to the statefulset (postgresql primary) - ## - labels: {} - ## @param primary.annotations Annotations for PostgreSQL primary pods - ## - annotations: {} - ## @param primary.podLabels Map of labels to add to the pods (postgresql primary) - ## - podLabels: {} - ## @param primary.podAnnotations Map of annotations to add to the pods (postgresql primary) - ## - podAnnotations: {} - ## @param primary.podAffinityPreset PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAffinityPreset: "" - ## @param primary.podAntiAffinityPreset PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAntiAffinityPreset: soft - ## PostgreSQL Primary node affinity preset - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity - ## - nodeAffinityPreset: - ## @param primary.nodeAffinityPreset.type PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` - ## - type: "" - ## @param primary.nodeAffinityPreset.key PostgreSQL primary node label key to match Ignored if `primary.affinity` is set. - ## E.g. - ## key: "kubernetes.io/e2e-az-name" - ## - key: "" - ## @param primary.nodeAffinityPreset.values PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set. - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] - ## @param primary.affinity Affinity for PostgreSQL primary pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set - ## - affinity: {} - ## @param primary.nodeSelector Node labels for PostgreSQL primary pods assignment - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ - ## - nodeSelector: {} - ## @param primary.tolerations Tolerations for PostgreSQL primary pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - ## - tolerations: [] - ## @param primary.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template - ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods - ## - topologySpreadConstraints: [] - ## @param primary.priorityClassName Priority Class to use for each pod (postgresql primary) - ## - priorityClassName: "" - ## @param primary.schedulerName Use an alternate scheduler, e.g. "stork". - ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ - ## - schedulerName: "" - ## @param primary.terminationGracePeriodSeconds Seconds PostgreSQL primary pod needs to terminate gracefully - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods - ## - terminationGracePeriodSeconds: "" - ## @param primary.updateStrategy.type PostgreSQL Primary statefulset strategy type - ## @param primary.updateStrategy.rollingUpdate PostgreSQL Primary statefulset rolling update configuration parameters - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies - ## - updateStrategy: - type: RollingUpdate - rollingUpdate: {} - ## @param primary.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the PostgreSQL Primary container(s) - ## - extraVolumeMounts: [] - ## @param primary.extraVolumes Optionally specify extra list of additional volumes for the PostgreSQL Primary pod(s) - ## - extraVolumes: [] - ## @param primary.sidecars Add additional sidecar containers to the PostgreSQL Primary pod(s) - ## For example: - ## sidecars: - ## - name: your-image-name - ## image: your-image - ## imagePullPolicy: Always - ## ports: - ## - name: portname - ## containerPort: 1234 - ## - sidecars: [] - ## @param primary.initContainers Add additional init containers to the PostgreSQL Primary pod(s) - ## Example - ## - ## initContainers: - ## - name: do-something - ## image: busybox - ## command: ['do', 'something'] - ## - initContainers: [] - ## Pod Disruption Budget configuration - ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb - ## @param primary.pdb.create Enable/disable a Pod Disruption Budget creation - ## @param primary.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled - ## @param primary.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `primary.pdb.minAvailable` and `primary.pdb.maxUnavailable` are empty. - ## - pdb: - create: true - minAvailable: "" - maxUnavailable: "" - ## @param primary.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) - ## - extraPodSpec: {} - ## Network Policies - ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ - ## - networkPolicy: - ## @param primary.networkPolicy.enabled Specifies whether a NetworkPolicy should be created - ## - enabled: true - ## @param primary.networkPolicy.allowExternal Don't require server label for connections - ## The Policy model to apply. When set to false, only pods with the correct - ## server label will have network access to the ports server is listening - ## on. When true, server will accept connections from any source - ## (with the correct destination port). - ## - allowExternal: true - ## @param primary.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. - ## - allowExternalEgress: true - ## @param primary.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy - ## e.g: - ## extraIngress: - ## - ports: - ## - port: 1234 - ## from: - ## - podSelector: - ## - matchLabels: - ## - role: frontend - ## - podSelector: - ## - matchExpressions: - ## - key: role - ## operator: In - ## values: - ## - frontend - extraIngress: [] - ## @param primary.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy - ## e.g: - ## extraEgress: - ## - ports: - ## - port: 1234 - ## to: - ## - podSelector: - ## - matchLabels: - ## - role: frontend - ## - podSelector: - ## - matchExpressions: - ## - key: role - ## operator: In - ## values: - ## - frontend - ## - extraEgress: [] - ## @param primary.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces - ## @param primary.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces - ## - ingressNSMatchLabels: {} - ingressNSPodMatchLabels: {} - ## PostgreSQL Primary service configuration - ## - service: - ## @param primary.service.type Kubernetes Service type - ## - type: ClusterIP - ## @param primary.service.ports.postgresql PostgreSQL service port - ## - ports: - postgresql: 5432 - ## Node ports to expose - ## NOTE: choose port between <30000-32767> - ## @param primary.service.nodePorts.postgresql Node port for PostgreSQL - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - nodePorts: - postgresql: "" - ## @param primary.service.clusterIP Static clusterIP or None for headless services - ## e.g: - ## clusterIP: None - ## - clusterIP: "" - ## @param primary.service.labels Map of labels to add to the primary service - ## - labels: {} - ## @param primary.service.annotations Annotations for PostgreSQL primary service - ## - annotations: {} - ## @param primary.service.loadBalancerClass Load balancer class if service type is `LoadBalancer` - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class - ## - loadBalancerClass: "" - ## @param primary.service.loadBalancerIP Load balancer IP if service type is `LoadBalancer` - ## Set the LoadBalancer service type to internal only - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - loadBalancerIP: "" - ## @param primary.service.externalTrafficPolicy Enable client source IP preservation - ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster - ## @param primary.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 - ## - loadBalancerSourceRanges: [] - ## @param primary.service.extraPorts Extra ports to expose in the PostgreSQL primary service - ## - extraPorts: [] - ## @param primary.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" - ## If "ClientIP", consecutive client requests will be directed to the same Pod - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - ## - sessionAffinity: None - ## @param primary.service.sessionAffinityConfig Additional settings for the sessionAffinity - ## sessionAffinityConfig: - ## clientIP: - ## timeoutSeconds: 300 - ## - sessionAffinityConfig: {} - ## Headless service properties - ## - headless: - ## @param primary.service.headless.annotations Additional custom annotations for headless PostgreSQL primary service - ## - annotations: {} - ## PostgreSQL Primary persistence configuration - ## - persistence: - ## @param primary.persistence.enabled Enable PostgreSQL Primary data persistence using PVC - ## - enabled: true - ## @param primary.persistence.volumeName Name to assign the volume - ## - volumeName: "data" - ## @param primary.persistence.existingClaim Name of an existing PVC to use - ## - existingClaim: "" - ## @param primary.persistence.mountPath The path the volume will be mounted at - ## Note: useful when using custom PostgreSQL images - ## - mountPath: /bitnami/postgresql - ## @param primary.persistence.subPath The subdirectory of the volume to mount to - ## Useful in dev environments and one PV for multiple services - ## - subPath: "" - ## @param primary.persistence.storageClass PVC Storage Class for PostgreSQL Primary data volume - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - storageClass: "" - ## @param primary.persistence.accessModes PVC Access Mode for PostgreSQL volume - ## - accessModes: - - ReadWriteOnce - ## @param primary.persistence.size PVC Storage Request for PostgreSQL volume - ## - size: 8Gi - ## @param primary.persistence.annotations Annotations for the PVC - ## - annotations: {} - ## @param primary.persistence.labels Labels for the PVC - ## - labels: {} - ## @param primary.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template) - ## selector: - ## matchLabels: - ## app: my-app - ## - selector: {} - ## @param primary.persistence.dataSource Custom PVC data source - ## - dataSource: {} - ## PostgreSQL Primary Persistent Volume Claim Retention Policy - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention - ## - persistentVolumeClaimRetentionPolicy: - ## @param primary.persistentVolumeClaimRetentionPolicy.enabled Enable Persistent volume retention policy for Primary Statefulset - ## - enabled: false - ## @param primary.persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced - ## - whenScaled: Retain - ## @param primary.persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted - ## - whenDeleted: Retain -## @section PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`) -## -readReplicas: - ## @param readReplicas.name Name of the read replicas database (eg secondary, slave, ...) - ## - name: read - ## @param readReplicas.replicaCount Number of PostgreSQL read only replicas - ## - replicaCount: 1 - ## @param readReplicas.extendedConfiguration Extended PostgreSQL read only replicas configuration (appended to main or default configuration) - ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf - ## - extendedConfiguration: "" - ## @param readReplicas.extraEnvVars Array with extra environment variables to add to PostgreSQL read only nodes - ## e.g: - ## extraEnvVars: - ## - name: FOO - ## value: "bar" - ## - extraEnvVars: [] - ## @param readReplicas.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for PostgreSQL read only nodes - ## - extraEnvVarsCM: "" - ## @param readReplicas.extraEnvVarsSecret Name of existing Secret containing extra env vars for PostgreSQL read only nodes - ## - extraEnvVarsSecret: "" - ## @param readReplicas.command Override default container command (useful when using custom images) - ## - command: [] - ## @param readReplicas.args Override default container args (useful when using custom images) - ## - args: [] - ## Configure extra options for PostgreSQL read only containers' liveness, readiness and startup probes - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes - ## @param readReplicas.livenessProbe.enabled Enable livenessProbe on PostgreSQL read only containers - ## @param readReplicas.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe - ## @param readReplicas.livenessProbe.periodSeconds Period seconds for livenessProbe - ## @param readReplicas.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe - ## @param readReplicas.livenessProbe.failureThreshold Failure threshold for livenessProbe - ## @param readReplicas.livenessProbe.successThreshold Success threshold for livenessProbe - ## - livenessProbe: - enabled: true - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - ## @param readReplicas.readinessProbe.enabled Enable readinessProbe on PostgreSQL read only containers - ## @param readReplicas.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe - ## @param readReplicas.readinessProbe.periodSeconds Period seconds for readinessProbe - ## @param readReplicas.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe - ## @param readReplicas.readinessProbe.failureThreshold Failure threshold for readinessProbe - ## @param readReplicas.readinessProbe.successThreshold Success threshold for readinessProbe - ## - readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - ## @param readReplicas.startupProbe.enabled Enable startupProbe on PostgreSQL read only containers - ## @param readReplicas.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe - ## @param readReplicas.startupProbe.periodSeconds Period seconds for startupProbe - ## @param readReplicas.startupProbe.timeoutSeconds Timeout seconds for startupProbe - ## @param readReplicas.startupProbe.failureThreshold Failure threshold for startupProbe - ## @param readReplicas.startupProbe.successThreshold Success threshold for startupProbe - ## - startupProbe: - enabled: false - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 15 - successThreshold: 1 - ## @param readReplicas.customLivenessProbe Custom livenessProbe that overrides the default one - ## - customLivenessProbe: {} - ## @param readReplicas.customReadinessProbe Custom readinessProbe that overrides the default one - ## - customReadinessProbe: {} - ## @param readReplicas.customStartupProbe Custom startupProbe that overrides the default one - ## - customStartupProbe: {} - ## @param readReplicas.lifecycleHooks for the PostgreSQL read only container to automate configuration before or after startup - ## - lifecycleHooks: {} - ## PostgreSQL read only resource requests and limits - ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param readReplicas.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if readReplicas.resources is set (readReplicas.resources is recommended for production). - ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 - ## - resourcesPreset: "nano" - ## @param readReplicas.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) - ## Example: - ## resources: - ## requests: - ## cpu: 2 - ## memory: 512Mi - ## limits: - ## cpu: 3 - ## memory: 1024Mi - ## - resources: {} - ## Pod Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - ## @param readReplicas.podSecurityContext.enabled Enable security context - ## @param readReplicas.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy - ## @param readReplicas.podSecurityContext.sysctls Set kernel settings using the sysctl interface - ## @param readReplicas.podSecurityContext.supplementalGroups Set filesystem extra groups - ## @param readReplicas.podSecurityContext.fsGroup Group ID for the pod - ## - podSecurityContext: - enabled: true - fsGroupChangePolicy: Always - sysctls: [] - supplementalGroups: [] - fsGroup: 1001 - ## Container Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - ## @param readReplicas.containerSecurityContext.enabled Enabled containers' Security Context - ## @param readReplicas.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container - ## @param readReplicas.containerSecurityContext.runAsUser Set containers' Security Context runAsUser - ## @param readReplicas.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup - ## @param readReplicas.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot - ## @param readReplicas.containerSecurityContext.privileged Set container's Security Context privileged - ## @param readReplicas.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem - ## @param readReplicas.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation - ## @param readReplicas.containerSecurityContext.capabilities.drop List of capabilities to be dropped - ## @param readReplicas.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile - ## - containerSecurityContext: - enabled: true - seLinuxOptions: {} - runAsUser: 1001 - runAsGroup: 1001 - runAsNonRoot: true - privileged: false - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - seccompProfile: - type: "RuntimeDefault" - ## @param readReplicas.automountServiceAccountToken Mount Service Account token in pod - ## - automountServiceAccountToken: false - ## @param readReplicas.hostAliases PostgreSQL read only pods host aliases - ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ - ## - hostAliases: [] - ## @param readReplicas.hostNetwork Specify if host network should be enabled for PostgreSQL pod (PostgreSQL read only) - ## - hostNetwork: false - ## @param readReplicas.hostIPC Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) - ## - hostIPC: false - ## @param readReplicas.labels Map of labels to add to the statefulset (PostgreSQL read only) - ## - labels: {} - ## @param readReplicas.annotations Annotations for PostgreSQL read only pods - ## - annotations: {} - ## @param readReplicas.podLabels Map of labels to add to the pods (PostgreSQL read only) - ## - podLabels: {} - ## @param readReplicas.podAnnotations Map of annotations to add to the pods (PostgreSQL read only) - ## - podAnnotations: {} - ## @param readReplicas.podAffinityPreset PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAffinityPreset: "" - ## @param readReplicas.podAntiAffinityPreset PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAntiAffinityPreset: soft - ## PostgreSQL read only node affinity preset - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity - ## - nodeAffinityPreset: - ## @param readReplicas.nodeAffinityPreset.type PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` - ## - type: "" - ## @param readReplicas.nodeAffinityPreset.key PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. - ## E.g. - ## key: "kubernetes.io/e2e-az-name" - ## - key: "" - ## @param readReplicas.nodeAffinityPreset.values PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] - ## @param readReplicas.affinity Affinity for PostgreSQL read only pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set - ## - affinity: {} - ## @param readReplicas.nodeSelector Node labels for PostgreSQL read only pods assignment - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ - ## - nodeSelector: {} - ## @param readReplicas.tolerations Tolerations for PostgreSQL read only pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - ## - tolerations: [] - ## @param readReplicas.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template - ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods - ## - topologySpreadConstraints: [] - ## @param readReplicas.priorityClassName Priority Class to use for each pod (PostgreSQL read only) - ## - priorityClassName: "" - ## @param readReplicas.schedulerName Use an alternate scheduler, e.g. "stork". - ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ - ## - schedulerName: "" - ## @param readReplicas.terminationGracePeriodSeconds Seconds PostgreSQL read only pod needs to terminate gracefully - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods - ## - terminationGracePeriodSeconds: "" - ## @param readReplicas.updateStrategy.type PostgreSQL read only statefulset strategy type - ## @param readReplicas.updateStrategy.rollingUpdate PostgreSQL read only statefulset rolling update configuration parameters - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies - ## - updateStrategy: - type: RollingUpdate - rollingUpdate: {} - ## @param readReplicas.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the PostgreSQL read only container(s) - ## - extraVolumeMounts: [] - ## @param readReplicas.extraVolumes Optionally specify extra list of additional volumes for the PostgreSQL read only pod(s) - ## - extraVolumes: [] - ## @param readReplicas.sidecars Add additional sidecar containers to the PostgreSQL read only pod(s) - ## For example: - ## sidecars: - ## - name: your-image-name - ## image: your-image - ## imagePullPolicy: Always - ## ports: - ## - name: portname - ## containerPort: 1234 - ## - sidecars: [] - ## @param readReplicas.initContainers Add additional init containers to the PostgreSQL read only pod(s) - ## Example - ## - ## initContainers: - ## - name: do-something - ## image: busybox - ## command: ['do', 'something'] - ## - initContainers: [] - ## Pod Disruption Budget configuration - ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb - ## @param readReplicas.pdb.create Enable/disable a Pod Disruption Budget creation - ## @param readReplicas.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled - ## @param readReplicas.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `readReplicas.pdb.minAvailable` and `readReplicas.pdb.maxUnavailable` are empty. - ## - pdb: - create: true - minAvailable: "" - maxUnavailable: "" - ## @param readReplicas.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL read only pod(s) - ## - extraPodSpec: {} - ## Network Policies - ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ - ## - networkPolicy: - ## @param readReplicas.networkPolicy.enabled Specifies whether a NetworkPolicy should be created - ## - enabled: true - ## @param readReplicas.networkPolicy.allowExternal Don't require server label for connections - ## The Policy model to apply. When set to false, only pods with the correct - ## server label will have network access to the ports server is listening - ## on. When true, server will accept connections from any source - ## (with the correct destination port). - ## - allowExternal: true - ## @param readReplicas.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. - ## - allowExternalEgress: true - ## @param readReplicas.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy - ## e.g: - ## extraIngress: - ## - ports: - ## - port: 1234 - ## from: - ## - podSelector: - ## - matchLabels: - ## - role: frontend - ## - podSelector: - ## - matchExpressions: - ## - key: role - ## operator: In - ## values: - ## - frontend - extraIngress: [] - ## @param readReplicas.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy - ## e.g: - ## extraEgress: - ## - ports: - ## - port: 1234 - ## to: - ## - podSelector: - ## - matchLabels: - ## - role: frontend - ## - podSelector: - ## - matchExpressions: - ## - key: role - ## operator: In - ## values: - ## - frontend - ## - extraEgress: [] - ## @param readReplicas.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces - ## @param readReplicas.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces - ## - ingressNSMatchLabels: {} - ingressNSPodMatchLabels: {} - ## PostgreSQL read only service configuration - ## - service: - ## @param readReplicas.service.type Kubernetes Service type - ## - type: ClusterIP - ## @param readReplicas.service.ports.postgresql PostgreSQL service port - ## - ports: - postgresql: 5432 - ## Node ports to expose - ## NOTE: choose port between <30000-32767> - ## @param readReplicas.service.nodePorts.postgresql Node port for PostgreSQL - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - nodePorts: - postgresql: "" - ## @param readReplicas.service.clusterIP Static clusterIP or None for headless services - ## e.g: - ## clusterIP: None - ## - clusterIP: "" - ## @param readReplicas.service.labels Map of labels to add to the read service - ## - labels: {} - ## @param readReplicas.service.annotations Annotations for PostgreSQL read only service - ## - annotations: {} - ## @param readReplicas.service.loadBalancerClass Load balancer class if service type is `LoadBalancer` - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class - ## - loadBalancerClass: "" - ## @param readReplicas.service.loadBalancerIP Load balancer IP if service type is `LoadBalancer` - ## Set the LoadBalancer service type to internal only - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - loadBalancerIP: "" - ## @param readReplicas.service.externalTrafficPolicy Enable client source IP preservation - ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster - ## @param readReplicas.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 - ## - loadBalancerSourceRanges: [] - ## @param readReplicas.service.extraPorts Extra ports to expose in the PostgreSQL read only service - ## - extraPorts: [] - ## @param readReplicas.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" - ## If "ClientIP", consecutive client requests will be directed to the same Pod - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - ## - sessionAffinity: None - ## @param readReplicas.service.sessionAffinityConfig Additional settings for the sessionAffinity - ## sessionAffinityConfig: - ## clientIP: - ## timeoutSeconds: 300 - ## - sessionAffinityConfig: {} - ## Headless service properties - ## - headless: - ## @param readReplicas.service.headless.annotations Additional custom annotations for headless PostgreSQL read only service - ## - annotations: {} - ## PostgreSQL read only persistence configuration - ## - persistence: - ## @param readReplicas.persistence.enabled Enable PostgreSQL read only data persistence using PVC - ## - enabled: true - ## @param readReplicas.persistence.existingClaim Name of an existing PVC to use - ## - existingClaim: "" - ## @param readReplicas.persistence.mountPath The path the volume will be mounted at - ## Note: useful when using custom PostgreSQL images - ## - mountPath: /bitnami/postgresql - ## @param readReplicas.persistence.subPath The subdirectory of the volume to mount to - ## Useful in dev environments and one PV for multiple services - ## - subPath: "" - ## @param readReplicas.persistence.storageClass PVC Storage Class for PostgreSQL read only data volume - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - storageClass: "" - ## @param readReplicas.persistence.accessModes PVC Access Mode for PostgreSQL volume - ## - accessModes: - - ReadWriteOnce - ## @param readReplicas.persistence.size PVC Storage Request for PostgreSQL volume - ## - size: 8Gi - ## @param readReplicas.persistence.annotations Annotations for the PVC - ## - annotations: {} - ## @param readReplicas.persistence.labels Labels for the PVC - ## - labels: {} - ## @param readReplicas.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template) - ## selector: - ## matchLabels: - ## app: my-app - ## - selector: {} - ## @param readReplicas.persistence.dataSource Custom PVC data source - ## - dataSource: {} - ## PostgreSQL Read only Persistent Volume Claim Retention Policy - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention - ## - persistentVolumeClaimRetentionPolicy: - ## @param readReplicas.persistentVolumeClaimRetentionPolicy.enabled Enable Persistent volume retention policy for read only Statefulset - ## - enabled: false - ## @param readReplicas.persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced - ## - whenScaled: Retain - ## @param readReplicas.persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted - ## - whenDeleted: Retain -## @section Backup parameters -## This section implements a trivial logical dump cronjob of the database. -## This only comes with the consistency guarantees of the dump program. -## This is not a snapshot based roll forward/backward recovery backup. -## ref: https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ -backup: - ## @param backup.enabled Enable the logical dump of the database "regularly" - enabled: false - cronjob: - ## @param backup.cronjob.schedule Set the cronjob parameter schedule - schedule: "@daily" - ## @param backup.cronjob.timeZone Set the cronjob parameter timeZone - timeZone: "" - ## @param backup.cronjob.concurrencyPolicy Set the cronjob parameter concurrencyPolicy - concurrencyPolicy: Allow - ## @param backup.cronjob.failedJobsHistoryLimit Set the cronjob parameter failedJobsHistoryLimit - failedJobsHistoryLimit: 1 - ## @param backup.cronjob.successfulJobsHistoryLimit Set the cronjob parameter successfulJobsHistoryLimit - successfulJobsHistoryLimit: 3 - ## @param backup.cronjob.startingDeadlineSeconds Set the cronjob parameter startingDeadlineSeconds - startingDeadlineSeconds: "" - ## @param backup.cronjob.ttlSecondsAfterFinished Set the cronjob parameter ttlSecondsAfterFinished - ttlSecondsAfterFinished: "" - ## @param backup.cronjob.restartPolicy Set the cronjob parameter restartPolicy - restartPolicy: OnFailure - ## @param backup.cronjob.podSecurityContext.enabled Enable PodSecurityContext for CronJob/Backup - ## @param backup.cronjob.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy - ## @param backup.cronjob.podSecurityContext.sysctls Set kernel settings using the sysctl interface - ## @param backup.cronjob.podSecurityContext.supplementalGroups Set filesystem extra groups - ## @param backup.cronjob.podSecurityContext.fsGroup Group ID for the CronJob - podSecurityContext: - enabled: true - fsGroupChangePolicy: Always - sysctls: [] - supplementalGroups: [] - fsGroup: 1001 - ## backup container's Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - ## @param backup.cronjob.containerSecurityContext.enabled Enabled containers' Security Context - ## @param backup.cronjob.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container - ## @param backup.cronjob.containerSecurityContext.runAsUser Set containers' Security Context runAsUser - ## @param backup.cronjob.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup - ## @param backup.cronjob.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot - ## @param backup.cronjob.containerSecurityContext.privileged Set container's Security Context privileged - ## @param backup.cronjob.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem - ## @param backup.cronjob.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation - ## @param backup.cronjob.containerSecurityContext.capabilities.drop List of capabilities to be dropped - ## @param backup.cronjob.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile - containerSecurityContext: - enabled: true - seLinuxOptions: {} - runAsUser: 1001 - runAsGroup: 1001 - runAsNonRoot: true - privileged: false - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - seccompProfile: - type: "RuntimeDefault" - ## @param backup.cronjob.command Set backup container's command to run - command: - - /bin/sh - - -c - - "pg_dumpall --clean --if-exists --load-via-partition-root --quote-all-identifiers --no-password --file=${PGDUMP_DIR}/pg_dumpall-$(date '+%Y-%m-%d-%H-%M').pgdump" - ## @param backup.cronjob.labels Set the cronjob labels - labels: {} - ## @param backup.cronjob.annotations Set the cronjob annotations - annotations: {} - ## @param backup.cronjob.nodeSelector Node labels for PostgreSQL backup CronJob pod assignment - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/ - ## - nodeSelector: {} - ## @param backup.cronjob.tolerations Tolerations for PostgreSQL backup CronJob pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - ## - tolerations: [] - ## backup cronjob container resource requests and limits - ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param backup.cronjob.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if backup.cronjob.resources is set (backup.cronjob.resources is recommended for production). - ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 - ## - resourcesPreset: "nano" - ## @param backup.cronjob.resources Set container requests and limits for different resources like CPU or memory - ## Example: - resources: {} - ## resources: - ## requests: - ## cpu: 1 - ## memory: 512Mi - ## limits: - ## cpu: 2 - ## memory: 1024Mi - networkPolicy: - ## @param backup.cronjob.networkPolicy.enabled Specifies whether a NetworkPolicy should be created - ## - enabled: true - storage: - ## @param backup.cronjob.storage.enabled Enable using a `PersistentVolumeClaim` as backup data volume - ## - enabled: true - ## @param backup.cronjob.storage.existingClaim Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) - ## If defined, PVC must be created manually before volume will be bound - ## - existingClaim: "" - ## @param backup.cronjob.storage.resourcePolicy Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted - ## - resourcePolicy: "" - ## @param backup.cronjob.storage.storageClass PVC Storage Class for the backup data volume - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. - ## - storageClass: "" - ## @param backup.cronjob.storage.accessModes PV Access Mode - ## - accessModes: - - ReadWriteOnce - ## @param backup.cronjob.storage.size PVC Storage Request for the backup data volume - ## - size: 8Gi - ## @param backup.cronjob.storage.annotations PVC annotations - ## - annotations: {} - ## @param backup.cronjob.storage.mountPath Path to mount the volume at - ## - mountPath: /backup/pgdump - ## @param backup.cronjob.storage.subPath Subdirectory of the volume to mount at - ## and one PV for multiple services. - ## - subPath: "" - ## Fine tuning for volumeClaimTemplates - ## - volumeClaimTemplates: - ## @param backup.cronjob.storage.volumeClaimTemplates.selector A label query over volumes to consider for binding (e.g. when using local volumes) - ## A label query over volumes to consider for binding (e.g. when using local volumes) - ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details - ## - selector: {} - ## @param backup.cronjob.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the backup container - ## - extraVolumeMounts: [] - ## @param backup.cronjob.extraVolumes Optionally specify extra list of additional volumes for the backup container - ## - extraVolumes: [] - -## @section Password update job -## -passwordUpdateJob: - ## @param passwordUpdateJob.enabled Enable password update job - ## - enabled: false - ## @param passwordUpdateJob.backoffLimit set backoff limit of the job - ## - backoffLimit: 10 - ## @param passwordUpdateJob.command Override default container command on mysql Primary container(s) (useful when using custom images) - ## - command: [] - ## @param passwordUpdateJob.args Override default container args on mysql Primary container(s) (useful when using custom images) - ## - args: [] - ## @param passwordUpdateJob.extraCommands Extra commands to pass to the generation job - ## - extraCommands: "" - ## @param passwordUpdateJob.previousPasswords.postgresPassword Previous postgres password (set if the password secret was already changed) - ## @param passwordUpdateJob.previousPasswords.password Previous password (set if the password secret was already changed) - ## @param passwordUpdateJob.previousPasswords.replicationPassword Previous replication password (set if the password secret was already changed) - ## @param passwordUpdateJob.previousPasswords.existingSecret Name of a secret containing the previous passwords (set if the password secret was already changed) - previousPasswords: - postgresPassword: "" - password: "" - replicationPassword: "" - existingSecret: "" - ## Configure Container Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - ## @param passwordUpdateJob.containerSecurityContext.enabled Enabled containers' Security Context - ## @param passwordUpdateJob.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container - ## @param passwordUpdateJob.containerSecurityContext.runAsUser Set containers' Security Context runAsUser - ## @param passwordUpdateJob.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup - ## @param passwordUpdateJob.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot - ## @param passwordUpdateJob.containerSecurityContext.privileged Set container's Security Context privileged - ## @param passwordUpdateJob.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem - ## @param passwordUpdateJob.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation - ## @param passwordUpdateJob.containerSecurityContext.capabilities.drop List of capabilities to be dropped - ## @param passwordUpdateJob.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile - ## - containerSecurityContext: - enabled: true - seLinuxOptions: {} - runAsUser: 1001 - runAsGroup: 1001 - runAsNonRoot: true - privileged: false - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - seccompProfile: - type: "RuntimeDefault" - ## Configure Pods Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - ## @param passwordUpdateJob.podSecurityContext.enabled Enabled credential init job pods' Security Context - ## @param passwordUpdateJob.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy - ## @param passwordUpdateJob.podSecurityContext.sysctls Set kernel settings using the sysctl interface - ## @param passwordUpdateJob.podSecurityContext.supplementalGroups Set filesystem extra groups - ## @param passwordUpdateJob.podSecurityContext.fsGroup Set credential init job pod's Security Context fsGroup - ## - podSecurityContext: - enabled: true - fsGroupChangePolicy: Always - sysctls: [] - supplementalGroups: [] - fsGroup: 1001 - ## @param passwordUpdateJob.extraEnvVars Array containing extra env vars to configure the credential init job - ## For example: - ## extraEnvVars: - ## - name: GF_DEFAULT_INSTANCE_NAME - ## value: my-instance - ## - extraEnvVars: [] - ## @param passwordUpdateJob.extraEnvVarsCM ConfigMap containing extra env vars to configure the credential init job - ## - extraEnvVarsCM: "" - ## @param passwordUpdateJob.extraEnvVarsSecret Secret containing extra env vars to configure the credential init job (in case of sensitive data) - ## - extraEnvVarsSecret: "" - ## @param passwordUpdateJob.extraVolumes Optionally specify extra list of additional volumes for the credential init job - ## - extraVolumes: [] - ## @param passwordUpdateJob.extraVolumeMounts Array of extra volume mounts to be added to the jwt Container (evaluated as template). Normally used with `extraVolumes`. - ## - extraVolumeMounts: [] - ## @param passwordUpdateJob.initContainers Add additional init containers for the mysql Primary pod(s) - ## - initContainers: [] - ## Container resource requests and limits - ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param passwordUpdateJob.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if passwordUpdateJob.resources is set (passwordUpdateJob.resources is recommended for production). - ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 - ## - resourcesPreset: "micro" - ## @param passwordUpdateJob.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) - ## Example: - ## resources: - ## requests: - ## cpu: 2 - ## memory: 512Mi - ## limits: - ## cpu: 3 - ## memory: 1024Mi - ## - resources: {} - ## @param passwordUpdateJob.customLivenessProbe Custom livenessProbe that overrides the default one - ## - customLivenessProbe: {} - ## @param passwordUpdateJob.customReadinessProbe Custom readinessProbe that overrides the default one - ## - customReadinessProbe: {} - ## @param passwordUpdateJob.customStartupProbe Custom startupProbe that overrides the default one - ## - customStartupProbe: {} - ## @param passwordUpdateJob.automountServiceAccountToken Mount Service Account token in pod - ## - automountServiceAccountToken: false - ## @param passwordUpdateJob.hostAliases Add deployment host aliases - ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ - ## - hostAliases: [] - ## @param passwordUpdateJob.annotations [object] Add annotations to the job - ## - annotations: {} - ## @param passwordUpdateJob.podLabels Additional pod labels - ## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - ## - podLabels: {} - ## @param passwordUpdateJob.podAnnotations Additional pod annotations - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - ## - podAnnotations: {} - -## @section Volume Permissions parameters -## - -## Init containers parameters: -## volumePermissions: Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each node -## -volumePermissions: - ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume - ## - enabled: false - ## @param volumePermissions.image.registry [default: REGISTRY_NAME] Init container volume-permissions image registry - ## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] Init container volume-permissions image repository - ## @skip volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) - ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag - ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy - ## @param volumePermissions.image.pullSecrets Init container volume-permissions image pull secrets - ## - image: - registry: docker.io - repository: bitnami/os-shell - tag: 12-debian-12-r41 - digest: "" - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## Example: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## Init container resource requests and limits - ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). - ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 - ## - resourcesPreset: "nano" - ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) - ## Example: - ## resources: - ## requests: - ## cpu: 2 - ## memory: 512Mi - ## limits: - ## cpu: 3 - ## memory: 1024Mi - ## - resources: {} - ## Init container' Security Context - ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser - ## and not the below volumePermissions.containerSecurityContext.runAsUser - ## @param volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container - ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container - ## @param volumePermissions.containerSecurityContext.runAsGroup Group ID for the init container - ## @param volumePermissions.containerSecurityContext.runAsNonRoot runAsNonRoot for the init container - ## @param volumePermissions.containerSecurityContext.seccompProfile.type seccompProfile.type for the init container - ## - containerSecurityContext: - seLinuxOptions: {} - runAsUser: 0 - runAsGroup: 0 - runAsNonRoot: false - seccompProfile: - type: RuntimeDefault -## @section Other Parameters -## - -## @param serviceBindings.enabled Create secret for service binding (Experimental) -## Ref: https://servicebinding.io/service-provider/ -## -serviceBindings: - enabled: false -## Service account for PostgreSQL to use. -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ -## -serviceAccount: - ## @param serviceAccount.create Enable creation of ServiceAccount for PostgreSQL pod - ## - create: true - ## @param serviceAccount.name The name of the ServiceAccount to use. - ## If not set and create is true, a name is generated using the common.names.fullname template - ## - name: "" - ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created - ## Can be set to false if pods using this serviceAccount do not need to use K8s API - ## - automountServiceAccountToken: false - ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount - ## - annotations: {} -## Creates role for ServiceAccount -## @param rbac.create Create Role and RoleBinding (required for PSP to work) -## -rbac: - create: false - ## @param rbac.rules Custom RBAC rules to set - ## e.g: - ## rules: - ## - apiGroups: - ## - "" - ## resources: - ## - pods - ## verbs: - ## - get - ## - list - ## - rules: [] -## Pod Security Policy -## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ -## @param psp.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later -## -psp: - create: false -## @section Metrics Parameters -## -metrics: - ## @param metrics.enabled Start a prometheus exporter - ## - enabled: false - ## @param metrics.image.registry [default: REGISTRY_NAME] PostgreSQL Prometheus Exporter image registry - ## @param metrics.image.repository [default: REPOSITORY_NAME/postgres-exporter] PostgreSQL Prometheus Exporter image repository - ## @skip metrics.image.tag PostgreSQL Prometheus Exporter image tag (immutable tags are recommended) - ## @param metrics.image.digest PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag - ## @param metrics.image.pullPolicy PostgreSQL Prometheus Exporter image pull policy - ## @param metrics.image.pullSecrets Specify image pull secrets - ## - image: - registry: docker.io - repository: bitnami/postgres-exporter - tag: 0.17.1-debian-12-r4 - digest: "" - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## Example: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## @param metrics.collectors Control enabled collectors - ## ref: https://github.com/prometheus-community/postgres_exporter#flags - ## Example: - ## collectors: - ## wal: false - collectors: {} - ## @param metrics.customMetrics Define additional custom metrics - ## ref: https://github.com/prometheus-community/postgres_exporter#adding-new-metrics-via-a-config-file-deprecated - ## customMetrics: - ## pg_database: - ## query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size_bytes FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')" - ## metrics: - ## - name: - ## usage: "LABEL" - ## description: "Name of the database" - ## - size_bytes: - ## usage: "GAUGE" - ## description: "Size of the database in bytes" - ## - customMetrics: {} - ## @param metrics.extraEnvVars Extra environment variables to add to PostgreSQL Prometheus exporter - ## see: https://github.com/prometheus-community/postgres_exporter#environment-variables - ## For example: - ## extraEnvVars: - ## - name: PG_EXPORTER_DISABLE_DEFAULT_METRICS - ## value: "true" - ## - extraEnvVars: [] - ## PostgreSQL Prometheus exporter containers' Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - ## @param metrics.containerSecurityContext.enabled Enabled containers' Security Context - ## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container - ## @param metrics.containerSecurityContext.runAsUser Set containers' Security Context runAsUser - ## @param metrics.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup - ## @param metrics.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot - ## @param metrics.containerSecurityContext.privileged Set container's Security Context privileged - ## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem - ## @param metrics.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation - ## @param metrics.containerSecurityContext.capabilities.drop List of capabilities to be dropped - ## @param metrics.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile - ## - containerSecurityContext: - enabled: true - seLinuxOptions: {} - runAsUser: 1001 - runAsGroup: 1001 - runAsNonRoot: true - privileged: false - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - seccompProfile: - type: "RuntimeDefault" - ## Configure extra options for PostgreSQL Prometheus exporter containers' liveness, readiness and startup probes - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes - ## @param metrics.livenessProbe.enabled Enable livenessProbe on PostgreSQL Prometheus exporter containers - ## @param metrics.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe - ## @param metrics.livenessProbe.periodSeconds Period seconds for livenessProbe - ## @param metrics.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe - ## @param metrics.livenessProbe.failureThreshold Failure threshold for livenessProbe - ## @param metrics.livenessProbe.successThreshold Success threshold for livenessProbe - ## - livenessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - ## @param metrics.readinessProbe.enabled Enable readinessProbe on PostgreSQL Prometheus exporter containers - ## @param metrics.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe - ## @param metrics.readinessProbe.periodSeconds Period seconds for readinessProbe - ## @param metrics.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe - ## @param metrics.readinessProbe.failureThreshold Failure threshold for readinessProbe - ## @param metrics.readinessProbe.successThreshold Success threshold for readinessProbe - ## - readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - ## @param metrics.startupProbe.enabled Enable startupProbe on PostgreSQL Prometheus exporter containers - ## @param metrics.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe - ## @param metrics.startupProbe.periodSeconds Period seconds for startupProbe - ## @param metrics.startupProbe.timeoutSeconds Timeout seconds for startupProbe - ## @param metrics.startupProbe.failureThreshold Failure threshold for startupProbe - ## @param metrics.startupProbe.successThreshold Success threshold for startupProbe - ## - startupProbe: - enabled: false - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 15 - successThreshold: 1 - ## @param metrics.customLivenessProbe Custom livenessProbe that overrides the default one - ## - customLivenessProbe: {} - ## @param metrics.customReadinessProbe Custom readinessProbe that overrides the default one - ## - customReadinessProbe: {} - ## @param metrics.customStartupProbe Custom startupProbe that overrides the default one - ## - customStartupProbe: {} - ## @param metrics.containerPorts.metrics PostgreSQL Prometheus exporter metrics container port - ## - containerPorts: - metrics: 9187 - ## PostgreSQL Prometheus exporter resource requests and limits - ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). - ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 - ## - resourcesPreset: "nano" - ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) - ## Example: - ## resources: - ## requests: - ## cpu: 2 - ## memory: 512Mi - ## limits: - ## cpu: 3 - ## memory: 1024Mi - ## - resources: {} - ## Service configuration - ## - service: - ## @param metrics.service.ports.metrics PostgreSQL Prometheus Exporter service port - ## - ports: - metrics: 9187 - ## @param metrics.service.clusterIP Static clusterIP or None for headless services - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address - ## - clusterIP: "" - ## @param metrics.service.sessionAffinity Control where client requests go, to the same pod or round-robin - ## Values: ClientIP or None - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ - ## - sessionAffinity: None - ## @param metrics.service.annotations [object] Annotations for Prometheus to auto-discover the metrics endpoint - ## - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "{{ .Values.metrics.service.ports.metrics }}" - ## Prometheus Operator ServiceMonitor configuration - ## - serviceMonitor: - ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using Prometheus Operator - ## - enabled: false - ## @param metrics.serviceMonitor.namespace Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) - ## - namespace: "" - ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped. - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint - ## - interval: "" - ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint - ## - scrapeTimeout: "" - ## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus - ## - labels: {} - ## @param metrics.serviceMonitor.selector Prometheus instance selector labels - ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration - ## - selector: {} - ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping - ## - relabelings: [] - ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion - ## - metricRelabelings: [] - ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint - ## - honorLabels: false - ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. - ## - jobLabel: "" - ## Custom PrometheusRule to be defined - ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart - ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions - ## - prometheusRule: - ## @param metrics.prometheusRule.enabled Create a PrometheusRule for Prometheus Operator - ## - enabled: false - ## @param metrics.prometheusRule.namespace Namespace for the PrometheusRule Resource (defaults to the Release Namespace) - ## - namespace: "" - ## @param metrics.prometheusRule.labels Additional labels that can be used so PrometheusRule will be discovered by Prometheus - ## - labels: {} - ## @param metrics.prometheusRule.rules PrometheusRule definitions - ## Make sure to constraint the rules to the current postgresql service. - ## rules: - ## - alert: HugeReplicationLag - ## expr: pg_replication_lag{service="{{ printf "%s-metrics" (include "common.names.fullname" .) }}"} / 3600 > 1 - ## for: 1m - ## labels: - ## severity: critical - ## annotations: - ## description: replication for {{ include "common.names.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s). - ## summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s). - ## - rules: [] diff --git a/charts/gitea-bitnami/templates/NOTES.txt b/charts/gitea-bitnami/templates/NOTES.txt deleted file mode 100644 index caa6baf..0000000 --- a/charts/gitea-bitnami/templates/NOTES.txt +++ /dev/null @@ -1,80 +0,0 @@ -CHART NAME: {{ .Chart.Name }} -CHART VERSION: {{ .Chart.Version }} -APP VERSION: {{ .Chart.AppVersion }} - -Did you know there are enterprise versions of the Bitnami catalog? For enhanced secure software supply chain features, unlimited pulls from Docker, LTS support, or application customization, see Bitnami Premium or Tanzu Application Catalog. See https://www.arrow.com/globalecs/na/vendors/bitnami for more information. - -{{- if or .Values.postgresql.enabled .Values.externalDatabase.host }} - -** Please be patient while the chart is being deployed ** - -1. Get the Gitea URL: - -{{- if .Values.ingress.enabled }} - - You should be able to access your new Gitea installation through - - http://{{- .Values.ingress.hostname }}/ - -{{- else if eq .Values.service.type "LoadBalancer" }} - - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - Watch the status with: 'kubectl get svc --namespace {{ include "common.names.namespace" . }} -w {{ include "common.names.fullname" . }}' - - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.names.namespace" . }} {{ include "common.names.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") - -{{- $port:= .Values.service.ports.http | toString }} - echo "Gitea URL: http://$SERVICE_IP{{- if ne $port "80" }}:{{ .Values.service.ports.http }}{{ end }}/" - -{{- if not (include "gitea.rootURL" .)}} - -WARNING: You did not specify a Root URL for Gitea. The rendered URLs in Gitea may not show correctly. In order to set a root URL use the rootURL value. -{{- end }} - -{{- else if eq .Values.service.type "ClusterIP" }} - - echo "Gitea URL: http://127.0.0.1:8080/" - kubectl port-forward --namespace {{ include "common.names.namespace" . }} svc/{{ include "common.names.fullname" . }} 8080:{{ .Values.service.ports.http }} - -{{- end }} - -{{- if eq .Values.service.type "NodePort" }} - - Or running: - - export NODE_PORT=$(kubectl get --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.names.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo "Gitea URL: http://$NODE_IP:$NODE_PORT/" - -{{- end }} - -2. Get your Gitea login credentials by running: - - echo Username: {{ .Values.adminUsername }} - echo Password: $(kubectl get secret --namespace {{ include "common.names.namespace" . }} {{ template "gitea.secretName" . }} -o jsonpath="{.data.admin-password}" | base64 -d) - -{{- else -}} - -######################################################################################## -### ERROR: You did not provide an external database host in your 'helm install' call ### -######################################################################################## - -This deployment will be incomplete until you configure Gitea with a resolvable database -host. To configure Gitea to use and external database host: - -1. Complete your Gitea deployment by running: - - export APP_PASSWORD=$(kubectl get secret --namespace {{ include "common.names.namespace" . }} {{ template "gitea.secretName" . }} -o jsonpath="{.data.admin-password}" | base64 -d) - - ## PLEASE UPDATE THE EXTERNAL DATABASE CONNECTION PARAMETERS IN THE FOLLOWING COMMAND AS NEEDED ## - - helm upgrade --namespace {{ include "common.names.namespace" . }} {{ .Release.Name }} oci://registry-1.docker.io/bitnamicharts/{{ .Chart.Name }} \ - --set giteaPassword=$APP_PASSWORD,service.type={{ .Values.service.type }},postgresql.enabled=false{{- if not (empty .Values.externalDatabase.user) }},externalDatabase.user={{ .Values.externalDatabase.user }}{{- end }}{{- if not (empty .Values.externalDatabase.password) }},externalDatabase.password={{ .Values.externalDatabase.password }}{{- end }}{{- if not (empty .Values.externalDatabase.database) }},externalDatabase.database={{ .Values.externalDatabase.database }}{{- end }},externalDatabase.host=YOUR_EXTERNAL_DATABASE_HOST{{- if .Values.global }}{{- if .Values.global.imagePullSecrets }},global.imagePullSecrets={{ .Values.global.imagePullSecrets }}{{- end }}{{- end }} - -{{- end }} - -{{- include "common.warnings.rollingTag" .Values.image }} -{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} -{{- include "common.warnings.resources" (dict "sections" (list "" "volumePermissions") "context" $) }} -{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.volumePermissions.image) "context" $) }} -{{- include "common.errors.insecureImages" (dict "images" (list .Values.image .Values.volumePermissions.image) "context" $) }} diff --git a/charts/gitea-bitnami/templates/_helpers.tpl b/charts/gitea-bitnami/templates/_helpers.tpl deleted file mode 100644 index 798f423..0000000 --- a/charts/gitea-bitnami/templates/_helpers.tpl +++ /dev/null @@ -1,174 +0,0 @@ -{{/* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* -Create a default fully qualified postgresql name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "gitea.postgresql.fullname" -}} -{{- include "common.names.dependency.fullname" (dict "chartName" "postgresql" "chartValues" .Values.postgresql "context" $) -}} -{{- end -}} - -{{/* -Return the proper Gitea image name -*/}} -{{- define "gitea.image" -}} -{{- include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) -}} -{{- end -}} - -{{/* -Return the proper image name (for the init container volume-permissions image) -*/}} -{{- define "gitea.volumePermissions.image" -}} -{{- include "common.images.image" ( dict "imageRoot" .Values.volumePermissions.image "global" .Values.global ) -}} -{{- end -}} - -{{/* -Return the proper Docker Image Registry Secret Names -*/}} -{{- define "gitea.imagePullSecrets" -}} -{{- include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.volumePermissions.image) "global" .Values.global) -}} -{{- end -}} - -{{/* -Return the proper Storage Class -*/}} -{{- define "gitea.storageClass" -}} -{{- include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) -}} -{{- end -}} - -{{/* -Gitea credential secret name -*/}} -{{- define "gitea.secretName" -}} -{{- coalesce .Values.existingSecret (include "common.names.fullname" .) -}} -{{- end -}} - -{{/* -Gitea root URL -*/}} -{{- define "gitea.rootURL" -}} -{{- if .Values.rootURL -}} - {{- print .Values.rootURL -}} -{{- else if .Values.ingress.enabled -}} - {{- printf "http://%s" .Values.ingress.hostname -}} -{{- else if (and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerIP) -}} - {{- $url := printf "http://%s" .Values.service.loadBalancerIP -}} - {{- $port:= .Values.service.ports.http | toString }} - {{- if (ne $port "80") -}} - {{- $url = printf "%s:%s" $url $port -}} - {{- end -}} - {{- print $url -}} -{{- end -}} -{{- end -}} - -{{/* - Create the name of the service account to use - */}} -{{- define "gitea.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{- default (include "common.names.fullname" .) .Values.serviceAccount.name -}} -{{- else -}} - {{- default "default" .Values.serviceAccount.name -}} -{{- end -}} -{{- end -}} - -{{/* -Gitea credential secret name -*/}} -{{- define "gitea.secretKey" -}} -{{- if .Values.existingSecret -}} - {{- print .Values.existingSecretKey -}} -{{- else -}} - {{- print "admin-password" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the SMTP Secret Name -*/}} -{{- define "gitea.smtpSecretName" -}} -{{- if .Values.smtpExistingSecret }} - {{- print .Values.smtpExistingSecret -}} -{{- else -}} - {{- print (include "common.names.fullname" .) -}} -{{- end -}} -{{- end -}} - -{{/* -Return the PostgreSQL Hostname -*/}} -{{- define "gitea.databaseHost" -}} -{{- if .Values.postgresql.enabled }} - {{- if eq .Values.postgresql.architecture "replication" }} - {{- printf "%s-%s" (include "gitea.postgresql.fullname" .) "primary" | trunc 63 | trimSuffix "-" -}} - {{- else -}} - {{- print (include "gitea.postgresql.fullname" .) -}} - {{- end -}} -{{- else -}} - {{- print .Values.externalDatabase.host -}} -{{- end -}} -{{- end -}} - -{{/* -Return the PostgreSQL Port -*/}} -{{- define "gitea.databasePort" -}} -{{- if .Values.postgresql.enabled }} - {{- print .Values.postgresql.primary.service.ports.postgresql -}} -{{- else -}} - {{- printf "%d" (.Values.externalDatabase.port | int ) -}} -{{- end -}} -{{- end -}} - -{{/* -Return the PostgreSQL Database Name -*/}} -{{- define "gitea.databaseName" -}} -{{- if .Values.postgresql.enabled }} - {{- print .Values.postgresql.auth.database -}} -{{- else -}} - {{- print .Values.externalDatabase.database -}} -{{- end -}} -{{- end -}} - -{{/* -Return the PostgreSQL User -*/}} -{{- define "gitea.databaseUser" -}} -{{- if .Values.postgresql.enabled }} - {{- print .Values.postgresql.auth.username -}} -{{- else -}} - {{- print .Values.externalDatabase.user -}} -{{- end -}} -{{- end -}} - -{{/* -Return the PostgreSQL Secret Name -*/}} -{{- define "gitea.databaseSecretName" -}} -{{- if .Values.postgresql.enabled }} - {{- if .Values.postgresql.auth.existingSecret -}} - {{- print .Values.postgresql.auth.existingSecret -}} - {{- else -}} - {{- print (include "gitea.postgresql.fullname" .) -}} - {{- end -}} -{{- else if .Values.externalDatabase.existingSecret -}} - {{- print .Values.externalDatabase.existingSecret -}} -{{- else -}} - {{- printf "%s-%s" (include "common.names.fullname" .) "externaldb" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the database password key -*/}} -{{- define "gitea.databasePasswordKey" -}} -{{- if .Values.postgresql.enabled -}} -{{- print "password" -}} -{{- else -}} -{{ print .Values.externalDatabase.existingSecretPasswordKey }} -{{- end -}} -{{- end -}} diff --git a/charts/gitea-bitnami/templates/deployment.yaml b/charts/gitea-bitnami/templates/deployment.yaml deleted file mode 100644 index cfdcfbb..0000000 --- a/charts/gitea-bitnami/templates/deployment.yaml +++ /dev/null @@ -1,316 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} -kind: Deployment -metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} - selector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} - {{- if .Values.updateStrategy }} - strategy: {{- toYaml .Values.updateStrategy | nindent 4 }} - {{- end }} - replicas: 1 - template: - metadata: - labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} - {{- if .Values.podAnnotations }} - annotations: {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} - {{- end }} - spec: - {{- include "gitea.imagePullSecrets" . | nindent 6 }} - serviceAccountName: {{ include "gitea.serviceAccountName" . }} - {{- if .Values.podSecurityContext.enabled }} - securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.affinity }} - affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }} - {{- else }} - affinity: - podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }} - podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }} - nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} - {{- end }} - {{- if .Values.schedulerName }} - schedulerName: {{ .Values.schedulerName }} - {{- end }} - {{- if .Values.topologySpreadConstraints }} - topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" .) | nindent 8 }} - {{- end }} - priorityClassName: {{ .Values.priorityClassName | quote }} - {{- if .Values.nodeSelector }} - nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.tolerations }} - tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }} - {{- end }} - automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} - {{- if .Values.hostAliases }} - # yamllint disable rule:indentation - hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} - # yamllint enable rule:indentation - {{- end }} - initContainers: - {{- if .Values.initContainers }} - {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} - {{- end }} - {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} - - name: volume-permissions - image: {{ include "gitea.volumePermissions.image" . }} - imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} - command: - - sh - - -c - - | - mkdir -p "/bitnami/gitea" - chown -R "{{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }}" "/bitnami/gitea" - securityContext: - runAsUser: 0 - {{- if .Values.volumePermissions.resources }} - resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} - {{- else if ne .Values.volumePermissions.resourcesPreset "none" }} - resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} - {{- end }} - volumeMounts: - - name: gitea-data - mountPath: /bitnami/gitea - {{- end }} - - name: prepare-base-dir - image: {{ include "gitea.image" . }} - imagePullPolicy: {{ .Values.image.pullPolicy | quote }} - {{- if .Values.resources }} - resources: {{- toYaml .Values.resources | nindent 12 }} - {{- else if ne .Values.resourcesPreset "none" }} - resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} - {{- end }} - {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} - {{- end }} - command: - - /bin/bash - args: - - -ec - - | - #!/bin/bash - - . /opt/bitnami/scripts/liblog.sh - - info "Copying base dir to empty dir" - # In order to not break the application functionality (such as upgrades or plugins) we need - # to make the base directory writable, so we need to copy it to an empty dir volume - cp -r --preserve=mode /opt/bitnami/gitea /emptydir/app-base-dir - - info "Copy operation completed" - volumeMounts: - - name: empty-dir - mountPath: /emptydir - containers: - - name: gitea - image: {{ template "gitea.image" . }} - imagePullPolicy: {{ .Values.image.pullPolicy | quote }} - {{- if .Values.command }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.args }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} - {{- end }} - env: - - name: BITNAMI_DEBUG - value: {{ ternary "true" "false" .Values.image.debug | quote }} - - name: GITEA_HTTP_PORT - value: {{ .Values.containerPorts.http | quote }} - - name: GITEA_SSH_LISTEN_PORT - value: {{ .Values.containerPorts.ssh | quote }} - - name: GITEA_SSH_PORT - value: {{ .Values.service.ports.ssh | quote }} - - name: GITEA_DATABASE_HOST - value: {{ include "gitea.databaseHost" . | quote }} - - name: GITEA_DATABASE_PORT_NUMBER - value: {{ include "gitea.databasePort" . | quote }} - - name: GITEA_DATABASE_NAME - value: {{ include "gitea.databaseName" . | quote }} - - name: GITEA_DATABASE_USERNAME - value: {{ include "gitea.databaseUser" . | quote }} - {{- if .Values.usePasswordFiles }} - - name: GITEA_DATABASE_PASSWORD_FILE - value: {{ printf "/opt/bitnami/gitea/secrets/%s" (include "gitea.databasePasswordKey" .) }} - {{- else }} - - name: GITEA_DATABASE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "gitea.databaseSecretName" . }} - key: {{ include "gitea.databasePasswordKey" . | quote }} - {{- end }} - - name: GITEA_ADMIN_USER - value: {{ .Values.adminUsername | quote }} - {{- if .Values.usePasswordFiles }} - - name: GITEA_ADMIN_PASSWORD_FILE - value: {{ printf "/opt/bitnami/gitea/secrets/%s" (include "gitea.secretKey" .) }} - {{- else }} - - name: GITEA_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "gitea.secretName" . }} - key: {{ include "gitea.secretKey" . }} - {{- end }} - - name: GITEA_ADMIN_EMAIL - value: {{ .Values.adminEmail | quote }} - - name: GITEA_APP_NAME - value: {{ .Values.appName | quote }} - - name: GITEA_RUN_MODE - value: {{ .Values.runMode | quote }} - {{- if (include "gitea.rootURL" .) }} - - name: GITEA_ROOT_URL - value: {{ include "gitea.rootURL" . | quote }} - {{- end }} - {{- if .Values.smtpHost }} - - name: GITEA_SMTP_HOST - value: {{ .Values.smtpHost | quote }} - {{- end }} - {{- if .Values.smtpPort }} - - name: GITEA_SMTP_PORT - value: {{ .Values.smtpPort | quote }} - {{- end }} - {{- if .Values.smtpUser }} - - name: GITEA_SMTP_USER - value: {{ .Values.smtpUser | quote }} - {{- end }} - {{- if or .Values.smtpPassword .Values.smtpExistingSecret }} - {{- if .Values.usePasswordFiles }} - - name: GITEA_SMTP_PASSWORD_FILE - value: "/opt/bitnami/gitea/secrets/smtp-password" - {{- else }} - - name: GITEA_SMTP_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "gitea.smtpSecretName" . }} - key: smtp-password - {{- end }} - {{- end }} - - name: GITEA_ENABLE_OPENID_SIGNIN - value: {{ .Values.openid.enableSignIn | quote }} - - name: GITEA_ENABLE_OPENID_SIGNUP - value: {{ .Values.openid.enableSignUp | quote }} - {{- if .Values.extraEnvVars }} - {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} - {{- end }} - envFrom: - {{- if .Values.extraEnvVarsCM }} - - configMapRef: - name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }} - {{- end }} - {{- if .Values.extraEnvVarsSecret }} - - secretRef: - name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }} - {{- end }} - {{- if .Values.lifecycleHooks }} - lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} - {{- end }} - ports: - - name: http - containerPort: {{ .Values.containerPorts.http }} - - name: ssh - containerPort: {{ .Values.containerPorts.ssh }} - {{- if .Values.extraContainerPorts }} - {{- include "common.tplvalues.render" (dict "value" .Values.extraContainerPorts "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.customStartupProbe }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} - {{- else if .Values.startupProbe.enabled }} - startupProbe: - httpGet: - path: {{ .Values.startupProbe.path }} - port: http - initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.startupProbe.periodSeconds }} - timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }} - successThreshold: {{ .Values.startupProbe.successThreshold }} - failureThreshold: {{ .Values.startupProbe.failureThreshold }} - {{- end }} - {{- if .Values.customLivenessProbe }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} - {{- else if .Values.livenessProbe.enabled }} - livenessProbe: - tcpSocket: - port: http - initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} - successThreshold: {{ .Values.livenessProbe.successThreshold }} - failureThreshold: {{ .Values.livenessProbe.failureThreshold }} - {{- end }} - {{- if .Values.customReadinessProbe }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} - {{- else if .Values.readinessProbe.enabled }} - readinessProbe: - httpGet: - path: {{ .Values.readinessProbe.path }} - port: http - initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.readinessProbe.successThreshold }} - failureThreshold: {{ .Values.readinessProbe.failureThreshold }} - {{- end }} - {{- if .Values.resources }} - resources: {{- toYaml .Values.resources | nindent 12 }} - {{- else if ne .Values.resourcesPreset "none" }} - resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} - {{- end }} - volumeMounts: - - name: gitea-data - mountPath: /bitnami/gitea - - name: empty-dir - mountPath: /opt/bitnami/gitea - subPath: app-base-dir - - name: empty-dir - mountPath: /tmp - subPath: tmp-dir - {{- if .Values.usePasswordFiles }} - - name: gitea-secrets - mountPath: /opt/bitnami/gitea/secrets - {{- end }} - {{- if .Values.extraVolumeMounts }} - {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.sidecars }} - {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} - {{- end }} - volumes: - - name: empty-dir - emptyDir: {} - {{- if .Values.usePasswordFiles }} - - name: gitea-secrets - projected: - sources: - - secret: - name: {{ include "gitea.secretName" . }} - - secret: - name: {{ include "gitea.databaseSecretName" . }} - {{- if or .Values.smtpPassword .Values.smtpExistingSecret }} - - secret: - name: {{ include "gitea.smtpSecretName" . }} - {{- end }} - {{- end }} - - name: gitea-data - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.persistence.existingClaim | default (print (include "common.names.fullname" .)) }} - {{- else }} - emptyDir: {} - {{- end }} - {{- if .Values.extraVolumes }} - {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} - {{- end }} diff --git a/charts/gitea-bitnami/templates/externaldb-secrets.yaml b/charts/gitea-bitnami/templates/externaldb-secrets.yaml deleted file mode 100644 index 152342a..0000000 --- a/charts/gitea-bitnami/templates/externaldb-secrets.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if not (or .Values.postgresql.enabled .Values.externalDatabase.existingSecret) }} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ include "common.names.fullname" . }}-externaldb" - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -type: Opaque -data: - db-password: {{ default "" .Values.externalDatabase.password | b64enc | quote }} -{{- end }} diff --git a/charts/gitea-bitnami/templates/extra-list.yaml b/charts/gitea-bitnami/templates/extra-list.yaml deleted file mode 100644 index 329f5c6..0000000 --- a/charts/gitea-bitnami/templates/extra-list.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- range .Values.extraDeploy }} ---- -{{ include "common.tplvalues.render" (dict "value" . "context" $) }} -{{- end }} diff --git a/charts/gitea-bitnami/templates/ingress.yaml b/charts/gitea-bitnami/templates/ingress.yaml deleted file mode 100644 index e5d6409..0000000 --- a/charts/gitea-bitnami/templates/ingress.yaml +++ /dev/null @@ -1,59 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if .Values.ingress.enabled }} -apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} -kind: Ingress -metadata: - name: {{ template "common.names.fullname" . }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if or .Values.ingress.annotations .Values.commonAnnotations }} - {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.annotations .Values.commonAnnotations ) "context" . ) }} - annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} - {{- end }} -spec: - {{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} - ingressClassName: {{ .Values.ingress.ingressClassName | quote }} - {{- end }} - rules: - {{- if .Values.ingress.hostname }} - - host: {{ .Values.ingress.hostname }} - http: - paths: - {{- if .Values.ingress.extraPaths }} - {{- toYaml .Values.ingress.extraPaths | nindent 10 }} - {{- end }} - - path: {{ .Values.ingress.path }} - {{- if eq "true" (include "common.ingress.supportsPathType" .) }} - pathType: {{ .Values.ingress.pathType }} - {{- end }} - backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" .) "servicePort" "http" "context" $) | nindent 14 }} - {{- end }} - {{- range .Values.ingress.extraHosts }} - - host: {{ .name | quote }} - http: - paths: - - path: {{ default "/" .path }} - {{- if eq "true" (include "common.ingress.supportsPathType" $) }} - pathType: {{ default "ImplementationSpecific" .pathType }} - {{- end }} - backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" "http" "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.ingress.extraRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraRules "context" $) | nindent 4 }} - {{- end }} - {{- if or (and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned)) .Values.ingress.extraTls }} - tls: - {{- if and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned) }} - - hosts: - - {{ .Values.ingress.hostname | quote }} - secretName: {{ printf "%s-tls" .Values.ingress.hostname }} - {{- end }} - {{- if .Values.ingress.extraTls }} - {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraTls "context" $) | nindent 4 }} - {{- end }} - {{- end }} -{{- end }} diff --git a/charts/gitea-bitnami/templates/networkpolicy.yaml b/charts/gitea-bitnami/templates/networkpolicy.yaml deleted file mode 100644 index 9db892c..0000000 --- a/charts/gitea-bitnami/templates/networkpolicy.yaml +++ /dev/null @@ -1,80 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if .Values.networkPolicy.enabled }} -kind: NetworkPolicy -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -metadata: - name: {{ template "common.names.fullname" . }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} - policyTypes: - - Ingress - - Egress - {{- if .Values.networkPolicy.allowExternalEgress }} - egress: - - {} - {{- else }} - egress: - # Allow dns resolution - - ports: - - port: 53 - protocol: UDP - - port: 53 - protocol: TCP - # Allow outbound connections to MariaDB - - ports: - - port: {{ include "gitea.databasePort" . }} - {{- if .Values.postgresql.enabled }} - to: - - podSelector: - matchLabels: - app.kubernetes.io/name: postgresql - app.kubernetes.io/instance: {{ .Release.Name }} - {{- end }} - {{- if .Values.networkPolicy.extraEgress }} - {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} - ingress: - - ports: - - port: {{ .Values.containerPorts.http }} - - port: {{ .Values.containerPorts.ssh }} - {{- range .Values.extraContainerPorts }} - - port: {{ . }} - {{- end }} - {{- if not .Values.networkPolicy.allowExternal }} - from: - - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} - - podSelector: - matchLabels: - {{ template "common.names.fullname" . }}-client: "true" - {{- if .Values.networkPolicy.ingressNSMatchLabels }} - - namespaceSelector: - matchLabels: - {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} - {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} - podSelector: - matchLabels: - {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.networkPolicy.extraIngress }} - {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/gitea-bitnami/templates/pdb.yaml b/charts/gitea-bitnami/templates/pdb.yaml deleted file mode 100644 index c298722..0000000 --- a/charts/gitea-bitnami/templates/pdb.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if .Values.pdb.create }} -apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} -kind: PodDisruptionBudget -metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- if .Values.pdb.minAvailable }} - minAvailable: {{ .Values.pdb.minAvailable }} - {{- end }} - {{- if or .Values.pdb.maxUnavailable (not .Values.pdb.minAvailable) }} - maxUnavailable: {{ .Values.pdb.maxUnavailable | default 1 }} - {{- end }} - {{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.podLabels .Values.commonLabels) "context" .) }} - selector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} -{{- end }} diff --git a/charts/gitea-bitnami/templates/pv.yaml b/charts/gitea-bitnami/templates/pv.yaml deleted file mode 100644 index 8e08805..0000000 --- a/charts/gitea-bitnami/templates/pv.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.persistence.enabled .Values.persistence.hostPath (not .Values.persistence.existingClaim) -}} -apiVersion: v1 -kind: PersistentVolume -metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- if not (empty .Values.persistence.accessModes) }} - accessModes: - {{- range .Values.persistence.accessModes }} - - {{ . | quote }} - {{- end }} - {{- end }} - capacity: - storage: {{ .Values.persistence.size | quote }} - hostPath: - path: {{ .Values.persistence.hostPath | quote }} -{{- end -}} diff --git a/charts/gitea-bitnami/templates/pvc.yaml b/charts/gitea-bitnami/templates/pvc.yaml deleted file mode 100644 index 40481f5..0000000 --- a/charts/gitea-bitnami/templates/pvc.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if or .Values.persistence.annotations .Values.commonAnnotations }} - {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.persistence.annotations .Values.commonAnnotations ) "context" . ) }} - annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} - {{- end }} -spec: - {{- if .Values.persistence.hostPath }} - storageClassName: "" - {{- else }} - {{- include "gitea.storageClass" . | nindent 2 }} - {{- end }} - {{- if not (empty .Values.persistence.accessModes) }} - accessModes: - {{- range .Values.persistence.accessModes }} - - {{ . | quote }} - {{- end }} - {{- end }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} - {{- if .Values.persistence.selector }} - selector: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.selector "context" $) | nindent 4 }} - {{- end -}} - {{- if .Values.persistence.dataSource }} - dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.dataSource "context" $) | nindent 4 }} - {{- end }} -{{- end -}} diff --git a/charts/gitea-bitnami/templates/secrets.yaml b/charts/gitea-bitnami/templates/secrets.yaml deleted file mode 100644 index 52f2845..0000000 --- a/charts/gitea-bitnami/templates/secrets.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if or (not .Values.existingSecret) (and (not .Values.smtpExistingSecret) .Values.smtpPassword) }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -type: Opaque -data: - {{- if not .Values.existingSecret }} - admin-password: {{ include "common.secrets.passwords.manage" (dict "secret" (include "common.names.fullname" .) "key" "admin-password" "providedValues" (list "adminPassword") "context" $) }} - {{- end }} - {{- if and .Values.smtpPassword (not .Values.smtpExistingSecret) }} - {{- if .Values.smtpPassword }} - smtp-password: {{ .Values.smtpPassword | b64enc | quote }} - {{- end }} - {{- end }} -{{- end }} diff --git a/charts/gitea-bitnami/templates/service-account.yaml b/charts/gitea-bitnami/templates/service-account.yaml deleted file mode 100644 index 705fa2b..0000000 --- a/charts/gitea-bitnami/templates/service-account.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if .Values.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "gitea.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }} - {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} - annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} - {{- end }} -automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} -{{- end }} diff --git a/charts/gitea-bitnami/templates/svc.yaml b/charts/gitea-bitnami/templates/svc.yaml deleted file mode 100644 index bd8bc11..0000000 --- a/charts/gitea-bitnami/templates/svc.yaml +++ /dev/null @@ -1,59 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if or .Values.commonAnnotations .Values.service.annotations }} - {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.annotations .Values.commonAnnotations ) "context" . ) }} - annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} - {{- end }} -spec: - type: {{ .Values.service.type }} - {{- if .Values.service.sessionAffinity }} - sessionAffinity: {{ .Values.service.sessionAffinity }} - {{- end }} - {{- if .Values.service.sessionAffinityConfig }} - sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.service.sessionAffinityConfig "context" $) | nindent 4 }} - {{- end }} - {{- if and .Values.service.clusterIP (eq .Values.service.type "ClusterIP") }} - clusterIP: {{ .Values.service.clusterIP }} - {{- end }} - {{- if (and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP))) }} - loadBalancerIP: {{ .Values.service.loadBalancerIP }} - {{- end }} - {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: {{- toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }} - {{- end }} - {{- if or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") }} - externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} - {{- end }} - ports: - - name: http - port: {{ .Values.service.ports.http }} - targetPort: http - {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.http)) }} - nodePort: {{ .Values.service.nodePorts.http }} - {{- else if eq .Values.service.type "ClusterIP" }} - nodePort: null - {{- end }} - {{- if .Values.exposeSSH }} - - name: ssh - port: {{ .Values.service.ports.ssh }} - targetPort: ssh - {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.ssh)) }} - nodePort: {{ .Values.service.nodePorts.ssh }} - {{- else if eq .Values.service.type "ClusterIP" }} - nodePort: null - {{- end }} - {{- end }} - {{- if .Values.service.extraPorts }} - {{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }} - {{- end }} - {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} - selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} diff --git a/charts/gitea-bitnami/templates/tls-secrets.yaml b/charts/gitea-bitnami/templates/tls-secrets.yaml deleted file mode 100644 index 199d504..0000000 --- a/charts/gitea-bitnami/templates/tls-secrets.yaml +++ /dev/null @@ -1,44 +0,0 @@ -{{- /* -Copyright Broadcom, Inc. All Rights Reserved. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if .Values.ingress.enabled }} -{{- if .Values.ingress.secrets }} -{{- range .Values.ingress.secrets }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .name }} - namespace: {{ include "common.names.namespace" $ | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" $.Values.commonLabels "context" $ ) | nindent 4 }} - {{- if $.Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -type: kubernetes.io/tls -data: - tls.crt: {{ .certificate | b64enc }} - tls.key: {{ .key | b64enc }} ---- -{{- end }} -{{- end }} -{{- if and .Values.ingress.tls .Values.ingress.selfSigned }} -{{- $secretName := printf "%s-tls" .Values.ingress.hostname }} -{{- $ca := genCA "gitea-ca" 365 }} -{{- $cert := genSignedCert .Values.ingress.hostname nil (list .Values.ingress.hostname) 365 $ca }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ $secretName }} - namespace: {{ include "common.names.namespace" . | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -type: kubernetes.io/tls -data: - tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }} - tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }} - ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }} -{{- end }} -{{- end }} diff --git a/charts/gitea-bitnami/values.yaml b/charts/gitea-bitnami/values.yaml deleted file mode 100644 index e722c85..0000000 --- a/charts/gitea-bitnami/values.yaml +++ /dev/null @@ -1,785 +0,0 @@ -# Copyright Broadcom, Inc. All Rights Reserved. -# SPDX-License-Identifier: APACHE-2.0 - -## @section Global parameters -## Global Docker image parameters -## Please, note that this will override the image parameters, including dependencies, configured to use the global value -## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass -## - -## @param global.imageRegistry Global Docker image registry -## @param global.imagePullSecrets Global Docker registry secret names as an array -## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s) -## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead -## -global: - imageRegistry: "" - ## E.g. - ## imagePullSecrets: - ## - myRegistryKeySecretName - ## - imagePullSecrets: [] - defaultStorageClass: "" - storageClass: "" - ## Security parameters - ## - security: - ## @param global.security.allowInsecureImages Allows skipping image verification - allowInsecureImages: false - ## Compatibility adaptations for Kubernetes platforms - ## - compatibility: - ## Compatibility adaptations for Openshift - ## - openshift: - ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) - ## - adaptSecurityContext: auto -## @section Common parameters -## - -## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) -## -kubeVersion: "" -## @param nameOverride String to partially override gitea.fullname template (will maintain the release name) -## -nameOverride: "" -## @param fullnameOverride String to fully override gitea.fullname template -## -fullnameOverride: "" -## @param namespaceOverride String to fully override common.names.namespace -## -namespaceOverride: "" -## @param commonAnnotations Common annotations to add to all Gitea resources (sub-charts are not considered). Evaluated as a template -## -commonAnnotations: {} -## @param commonLabels Common labels to add to all Gitea resources (sub-charts are not considered). Evaluated as a template -## -commonLabels: {} -## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template). -## -extraDeploy: [] -## @param usePasswordFiles Mount credentials as files instead of using environment variables -## -usePasswordFiles: true -## @section Gitea parameters -## - -## Bitnami Gitea image version -## ref: https://hub.docker.com/r/bitnami/gitea/tags/ -## @param image.registry [default: REGISTRY_NAME] Gitea image registry -## @param image.repository [default: REPOSITORY_NAME/gitea] Gitea Image name -## @skip image.tag Gitea Image tag -## @param image.digest Gitea image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag -## @param image.pullPolicy Gitea image pull policy -## @param image.pullSecrets Specify docker-registry secret names as an array -## @param image.debug Specify if debug logs should be enabled -## -image: - registry: docker.io - repository: bitnami/gitea - tag: 1.23.7-debian-12-r0 - digest: "" - ## Specify a imagePullPolicy - ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## Set to true if you would like to see extra information on logs - ## - debug: false -## @param adminUsername User of the application -## ref: https://github.com/bitnami/containers/tree/main/bitnami/gitea#configuration -## -adminUsername: bn_user -## @param adminPassword Application password -## Defaults to a random 10-character alphanumeric string if not set -## ref: https://github.com/bitnami/containers/tree/main/bitnami/gitea#configuration -## -adminPassword: "" -## @param adminEmail Admin email -## ref: https://github.com/bitnami/containers/tree/main/bitnami/gitea#configuration -## -adminEmail: user@example.com -## @param appName Gitea application name -## ref: https://github.com/bitnami/containers/tree/main/bitnami/gitea#configuration -## -appName: example -## @param runMode Gitea application host -## ref: https://github.com/bitnami/containers/tree/main/bitnami/gitea#configuration -## -runMode: prod -## @param exposeSSH Make the SSH server accesible -## -exposeSSH: true -## @param rootURL UI Root URL (for link generation) -## -rootURL: "" -## @param command Override default container command (useful when using custom images) -## -command: [] -## @param args Override default container args (useful when using custom images) -## -args: [] -## @param updateStrategy.type Update strategy - only really applicable for deployments with RWO PVs attached -## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the -## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will -## terminate the single previous pod, so that the new, incoming pod can attach to the PV -## -updateStrategy: - type: RollingUpdate -## @param priorityClassName Gitea pods' priorityClassName -## -priorityClassName: "" -## @param schedulerName Name of the k8s scheduler (other than default) -## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ -## -schedulerName: "" -## @param topologySpreadConstraints Topology Spread Constraints for pod assignment -## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ -## The value is evaluated as a template -## -topologySpreadConstraints: [] -## @param automountServiceAccountToken Mount Service Account token in pod -## -automountServiceAccountToken: false -## @param hostAliases [array] Add deployment host aliases -## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ -## -hostAliases: [] -## @param extraEnvVars Extra environment variables -## For example: -## -extraEnvVars: [] -# - name: BEARER_AUTH -# value: true -## @param extraEnvVarsCM ConfigMap containing extra env vars -## -extraEnvVarsCM: "" -## @param extraEnvVarsSecret Secret containing extra env vars (in case of sensitive data) -## -extraEnvVarsSecret: "" -## @param extraVolumes Array of extra volumes to be added to the deployment (evaluated as template). Requires setting `extraVolumeMounts` -## -extraVolumes: [] -## @param extraVolumeMounts Array of extra volume mounts to be added to the container (evaluated as template). Normally used with `extraVolumes`. -## -extraVolumeMounts: [] -## @param initContainers Add additional init containers to the pod (evaluated as a template) -## -initContainers: [] -## Pod Disruption Budget configuration -## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb -## @param pdb.create Enable/disable a Pod Disruption Budget creation -## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled -## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty. -## -pdb: - create: true - minAvailable: "" - maxUnavailable: "" -## @param sidecars Attach additional containers to the pod (evaluated as a template) -## -sidecars: [] -## @param tolerations Tolerations for pod assignment -## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ -## -tolerations: [] -## @param existingSecret Name of a secret with the application password -## -existingSecret: "" -## @param existingSecretKey Key inside the existing secret containing the password -## -existingSecretKey: "admin-password" -## SMTP mail delivery configuration -## ref: https://github.com/bitnami/containers/tree/main/bitnami/gitea/#smtp-configuration -## @param smtpHost SMTP host -## @param smtpPort SMTP port -## @param smtpUser SMTP user -## @param smtpPassword SMTP password -## -smtpHost: "" -smtpPort: "" -smtpUser: "" -smtpPassword: "" -## @param smtpExistingSecret The name of an existing secret with SMTP credentials -## NOTE: Must contain key `smtp-password` -## NOTE: When it's set, the `smtpPassword` parameter is ignored -## -smtpExistingSecret: "" -## @param containerPorts [object] Container ports -## -containerPorts: - http: 3000 - ssh: 2222 -## @param extraContainerPorts Optionally specify extra list of additional ports for Gitea container(s) -## e.g: -## extraContainerPorts: -## - name: myservice -## containerPort: 9090 -## -extraContainerPorts: [] -## Enable OpenID Configurations -## @param openid.enableSignIn Enable sign in with OpenID -## @param openid.enableSignUp Enable sign up with OpenID -openid: - enableSignIn: false - enableSignUp: false -## Enable persistence using Persistent Volume Claims -## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ -## -persistence: - ## @param persistence.enabled Enable persistence using PVC - ## - enabled: true - ## @param persistence.storageClass PVC Storage Class for Gitea volume - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - storageClass: "" - ## @param persistence.accessModes PVC Access Mode for Gitea volume - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - ## - accessModes: - - ReadWriteOnce - ## @param persistence.size PVC Storage Request for Gitea volume - ## - size: 8Gi - ## @param persistence.dataSource Custom PVC data source - ## - dataSource: {} - ## @param persistence.existingClaim A manually managed Persistent Volume Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - ## - existingClaim: "" - ## @param persistence.hostPath If defined, the gitea-data volume will mount to the specified hostPath. - ## Requires persistence.enabled: true - ## Requires persistence.existingClaim: nil|false - ## Default: nil. - ## - hostPath: "" - ## @param persistence.annotations Persistent Volume Claim annotations - ## - annotations: {} - ## @param persistence.selector Selector to match an existing Persistent Volume for Gitea data PVC - ## If set, the PVC can't have a PV dynamically provisioned for it - ## E.g. - ## selector: - ## matchLabels: - ## app: my-app - ## - selector: {} -## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` -## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity -## -podAffinityPreset: "" -## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` -## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity -## -podAntiAffinityPreset: soft -## Node affinity preset -## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity -## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` -## @param nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set. -## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. -## -nodeAffinityPreset: - type: "" - ## E.g. - ## key: "kubernetes.io/e2e-az-name" - ## - key: "" - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] -## @param affinity Affinity for pod assignment -## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity -## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set -## -affinity: {} -## @param nodeSelector Node labels for pod assignment. Evaluated as a template. -## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ -## -nodeSelector: {} -## Gitea container's resource requests and limits -## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ -## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). -## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 -## -resourcesPreset: "micro" -## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) -## Example: -## resources: -## requests: -## cpu: 2 -## memory: 512Mi -## limits: -## cpu: 3 -## memory: 1024Mi -## -resources: {} -## Configure Pods Security Context -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod -## @param podSecurityContext.enabled Enable Gitea pods' Security Context -## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy -## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface -## @param podSecurityContext.supplementalGroups Set filesystem extra groups -## @param podSecurityContext.fsGroup Gitea pods' group ID -## -podSecurityContext: - enabled: true - fsGroupChangePolicy: Always - sysctls: [] - supplementalGroups: [] - fsGroup: 1001 -## Configure Container Security Context (only main container) -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container -## @param containerSecurityContext.enabled Enabled containers' Security Context -## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container -## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser -## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup -## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot -## @param containerSecurityContext.privileged Set container's Security Context privileged -## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem -## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation -## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped -## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile -## -containerSecurityContext: - enabled: true - seLinuxOptions: {} - runAsUser: 1001 - runAsGroup: 1001 - runAsNonRoot: true - privileged: false - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - seccompProfile: - type: "RuntimeDefault" -## Configure extra options for startup probe -## Gitea core exposes / to unauthenticated requests, making it a good -## default startup and readiness path. However, that may not always be the -## case. For example, if the image value is overridden to an image containing a -## module that alters that route, or an image that does not auto-install Gitea. -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes -## @param startupProbe.enabled Enable startupProbe -## @param startupProbe.path Request path for startupProbe -## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe -## @param startupProbe.periodSeconds Period seconds for startupProbe -## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe -## @param startupProbe.failureThreshold Failure threshold for startupProbe -## @param startupProbe.successThreshold Success threshold for startupProbe -## -startupProbe: - enabled: false - path: / - initialDelaySeconds: 600 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 5 - successThreshold: 1 -## Configure extra options for liveness probe -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes -## @param livenessProbe.enabled Enable livenessProbe -## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe -## @param livenessProbe.periodSeconds Period seconds for livenessProbe -## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe -## @param livenessProbe.failureThreshold Failure threshold for livenessProbe -## @param livenessProbe.successThreshold Success threshold for livenessProbe -## -livenessProbe: - enabled: true - initialDelaySeconds: 600 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 5 - successThreshold: 1 -## Configure extra options for readiness probe -## Gitea core exposes / to unauthenticated requests, making it a good -## default startup and readiness path. However, that may not always be the -## case. For example, if the image value is overridden to an image containing a -## module that alters that route, or an image that does not auto-install Gitea. -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes -## @param readinessProbe.enabled Enable readinessProbe -## @param readinessProbe.path Request path for readinessProbe -## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe -## @param readinessProbe.periodSeconds Period seconds for readinessProbe -## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe -## @param readinessProbe.failureThreshold Failure threshold for readinessProbe -## @param readinessProbe.successThreshold Success threshold for readinessProbe -## -readinessProbe: - enabled: true - path: / - initialDelaySeconds: 30 - periodSeconds: 5 - timeoutSeconds: 1 - failureThreshold: 5 - successThreshold: 1 -## @param customStartupProbe Override default startup probe -## -customStartupProbe: {} -## @param customLivenessProbe Override default liveness probe -## -customLivenessProbe: {} -## @param customReadinessProbe Override default readiness probe -## -customReadinessProbe: {} -## @param lifecycleHooks LifecycleHook to set additional configuration at startup Evaluated as a template -## -lifecycleHooks: {} -## @param podAnnotations Pod annotations -## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ -## -podAnnotations: {} -## @param podLabels Add additional labels to the pod (evaluated as a template) -## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ -## -podLabels: {} -## @section Traffic Exposure Parameters -## - -## Kubernetes configuration. For minikube, set this to NodePort, elsewhere use LoadBalancer -## -service: - ## @param service.type Kubernetes Service type - ## - type: LoadBalancer - ## @param service.ports.http Service HTTP port - ## @param service.ports.ssh Service SSH port - ## - ports: - http: 80 - ssh: 22 - ## @param service.loadBalancerSourceRanges Restricts access for LoadBalancer (only with `service.type: LoadBalancer`) - ## e.g: - ## loadBalancerSourceRanges: - ## - 0.0.0.0/0 - ## - loadBalancerSourceRanges: [] - ## @param service.loadBalancerIP loadBalancerIP for the Gitea Service (optional, cloud specific) - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer - ## - loadBalancerIP: "" - ## @param service.nodePorts [object] Kubernetes node port - ## nodePorts: - ## http: - ## https: - ## - nodePorts: - http: "" - ssh: "" - ## @param service.externalTrafficPolicy Enable client source IP preservation - ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster - ## @param service.clusterIP Gitea service Cluster IP - ## e.g.: - ## clusterIP: None - ## - clusterIP: "" - ## @param service.extraPorts Extra ports to expose (normally used with the `sidecar` value) - ## - extraPorts: [] - ## @param service.annotations Additional custom annotations for Gitea service - ## - annotations: {} - ## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" - ## If "ClientIP", consecutive client requests will be directed to the same Pod - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - ## - sessionAffinity: None - ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity - ## sessionAffinityConfig: - ## clientIP: - ## timeoutSeconds: 300 - ## - sessionAffinityConfig: {} - -## Network Policy configuration -## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ -## -networkPolicy: - ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created - ## - enabled: true - ## @param networkPolicy.allowExternal Don't require server label for connections - ## The Policy model to apply. When set to false, only pods with the correct - ## server label will have network access to the ports server is listening - ## on. When true, server will accept connections from any source - ## (with the correct destination port). - ## - allowExternal: true - ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. - ## - allowExternalEgress: true - ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy - ## e.g: - ## extraIngress: - ## - ports: - ## - port: 1234 - ## from: - ## - podSelector: - ## - matchLabels: - ## - role: frontend - ## - podSelector: - ## - matchExpressions: - ## - key: role - ## operator: In - ## values: - ## - frontend - extraIngress: [] - ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy - ## e.g: - ## extraEgress: - ## - ports: - ## - port: 1234 - ## to: - ## - podSelector: - ## - matchLabels: - ## - role: frontend - ## - podSelector: - ## - matchExpressions: - ## - key: role - ## operator: In - ## values: - ## - frontend - ## - extraEgress: [] - ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces - ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces - ## - ingressNSMatchLabels: {} - ingressNSPodMatchLabels: {} - -## Configure the ingress resource that allows you to access the -## Gitea installation. Set up the URL -## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ -## -ingress: - ## @param ingress.enabled Enable ingress controller resource - ## - enabled: false - ## @param ingress.pathType Ingress Path type - ## - pathType: ImplementationSpecific - ## @param ingress.apiVersion Override API Version (automatically detected if not set) - ## - apiVersion: "" - ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) - ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . - ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ - ## - ingressClassName: "" - ## @param ingress.hostname Default host for the ingress resource - ## - hostname: "gitea.local" - ## @param ingress.path The Path to Gitea. You may need to set this to '/*' in order to use this - ## with ALB ingress controllers. - ## - path: / - ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. - ## For a full list of possible ingress annotations, please see - ## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md - ## Use this parameter to set the required annotations for cert-manager, see - ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations - ## - ## e.g: - ## annotations: - ## kubernetes.io/ingress.class: nginx - ## cert-manager.io/cluster-issuer: cluster-issuer-name - ## - annotations: {} - ## @param ingress.tls Enable TLS configuration for the hostname defined at ingress.hostname parameter - ## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }} - ## You can use the ingress.secrets parameter to create this TLS secret or relay on cert-manager to create it - ## - tls: false - ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm - ## - selfSigned: false - ## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record. - ## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array - ## extraHosts: - ## - name: gitea.local - ## path: / - ## - extraHosts: [] - ## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host. - ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. - ## extraPaths: - ## - path: /* - ## backend: - ## serviceName: ssl-redirect - ## servicePort: use-annotation - ## - extraPaths: [] - ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. - ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls - ## extraTls: - ## - hosts: - ## - gitea.local - ## secretName: gitea.local-tls - ## - extraTls: [] - ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets - ## key and certificate should start with -----BEGIN CERTIFICATE----- or - ## -----BEGIN RSA PRIVATE KEY----- - ## - ## name should line up with a tlsSecret set further up - ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set - ## - ## It is also possible to create and manage the certificates outside of this helm chart - ## Please see README.md for more information - ## Example: - ## - name: gitea.local-tls - ## key: - ## certificate: - ## - secrets: [] - ## @param ingress.extraRules Additional rules to be covered with this ingress record - ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules - ## e.g: - ## extraRules: - ## - host: example.local - ## http: - ## path: / - ## backend: - ## service: - ## name: example-svc - ## port: - ## name: http - ## - extraRules: [] -## @section Other Parameters -## - -## Service account for Gitea to use. -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ -## -serviceAccount: - ## @param serviceAccount.create Enable creation of ServiceAccount for Gitea pod - ## - create: true - ## @param serviceAccount.name The name of the ServiceAccount to use. - ## If not set and create is true, a name is generated using the common.names.fullname template - ## - name: "" - ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created - ## Can be set to false if pods using this serviceAccount do not need to use K8s API - ## - automountServiceAccountToken: false - ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount - ## - annotations: {} -## @section Database parameters -## - -## PostgreSQL chart configuration -## ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml -## @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart -## @param postgresql.auth.username Name for a custom user to create -## @param postgresql.auth.password Password for the custom user to create -## @param postgresql.auth.database Name for a custom database to create -## @param postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials -## @param postgresql.architecture PostgreSQL architecture (`standalone` or `replication`) -## @param postgresql.service.ports.postgresql PostgreSQL service port -## -postgresql: - enabled: true - auth: - username: bn_gitea - password: "" - database: bitnami_gitea - existingSecret: "" - architecture: standalone - service: - ports: - postgresql: 5432 -## External PostgreSQL configuration -## All of these values are only used when postgresql.enabled is set to false -## @param externalDatabase.host Database host -## @param externalDatabase.port Database port number -## @param externalDatabase.user Non-root username for JupyterHub -## @param externalDatabase.password Password for the non-root username for JupyterHub -## @param externalDatabase.database JupyterHub database name -## @param externalDatabase.existingSecret Name of an existing secret resource containing the database credentials -## @param externalDatabase.existingSecretPasswordKey Name of an existing secret key containing the database credentials -## -externalDatabase: - host: "" - port: 5432 - user: postgres - database: gitea - password: "" - existingSecret: "" - existingSecretPasswordKey: "db-password" -## @section Volume Permissions parameters -## - -## Init containers parameters: -## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. -## -volumePermissions: - ## @param volumePermissions.enabled Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work) - ## - enabled: false - ## @param volumePermissions.image.registry [default: REGISTRY_NAME] Init container volume-permissions image registry - ## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] Init container volume-permissions image name - ## @skip volumePermissions.image.tag Init container volume-permissions image tag - ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag - ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy - ## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array - ## - image: - registry: docker.io - repository: bitnami/os-shell - tag: 12-debian-12-r42 - digest: "" - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## Init containers' resource requests and limits - ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## We usually recommend not to specify default resources and to leave this as a conscious - ## choice for the user. This also increases chances charts run on environments with little - ## resources, such as Minikube. If you do want to specify resources, uncomment the following - ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). - ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 - ## - resourcesPreset: "nano" - ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) - ## Example: - ## resources: - ## requests: - ## cpu: 2 - ## memory: 512Mi - ## limits: - ## cpu: 3 - ## memory: 1024Mi - ## - resources: {} diff --git a/charts/helm-gitea/.commitlintrc.json b/charts/helm-gitea/.commitlintrc.json new file mode 100644 index 0000000..2a875d1 --- /dev/null +++ b/charts/helm-gitea/.commitlintrc.json @@ -0,0 +1,7 @@ +{ + "extends": ["@commitlint/config-conventional"], + "rules": { + "type-enum": [2, "always", ["feat", "fix", "chore", "docs", "style", "refactor", "test", "perf", "ci", "WIP"]], + "type-case": [0, "always", "lower-case"] + } +} \ No newline at end of file diff --git a/charts/helm-gitea/.editorconfig b/charts/helm-gitea/.editorconfig new file mode 100644 index 0000000..ebe51d3 --- /dev/null +++ b/charts/helm-gitea/.editorconfig @@ -0,0 +1,12 @@ +# EditorConfig is awesome: https://EditorConfig.org + +# top-most EditorConfig file +root = true + +[*] +indent_style = space +indent_size = 2 +end_of_line = lf +charset = utf-8 +trim_trailing_whitespace = false +insert_final_newline = false \ No newline at end of file diff --git a/charts/helm-gitea/.gitea/PULL_REQUEST_TEMPLATE.md b/charts/helm-gitea/.gitea/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..3f1a225 --- /dev/null +++ b/charts/helm-gitea/.gitea/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,44 @@ + + +### Description of the change + + + +### Benefits + + + +### Possible drawbacks + + + +### Applicable issues + + +- Fixes # + +### Additional information + + + +### ⚠ BREAKING + + + +### Checklist + + + +- [ ] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm) +- [ ] Breaking changes are documented in the `README.md` +- [ ] Helm templating unittests are added (required when changing anything in `templates` folder) +- [ ] Bash unittests are added (required when changing anything in `scripts` folder) +- [ ] All added template resources MUST render a namespace in metadata diff --git a/charts/helm-gitea/.gitea/workflows/changelog.yml b/charts/helm-gitea/.gitea/workflows/changelog.yml new file mode 100644 index 0000000..c7aa962 --- /dev/null +++ b/charts/helm-gitea/.gitea/workflows/changelog.yml @@ -0,0 +1,32 @@ +name: changelog + +on: + push: + branches: + - main + +jobs: + changelog: + runs-on: ubuntu-latest + container: docker.io/thegeeklab/git-sv:2.0.1 + steps: + - name: install tools + run: | + apk add -q --update --no-cache nodejs curl jq sed + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Generate upcoming changelog + run: | + git sv rn -o changelog.md + export RELEASE_NOTES=$(cat changelog.md) + export ISSUE_NUMBER=$(curl -s "https://gitea.com/api/v1/repos/gitea/helm-gitea/issues?state=open&q=Changelog%20for%20upcoming%20version" | jq '.[].number') + + echo $RELEASE_NOTES + JSON_DATA=$(echo "" | jq -Rs --arg title 'Changelog for upcoming version' --arg body "$(cat changelog.md)" '{title: $title, body: $body}') + + if [ -z "$ISSUE_NUMBER" ]; then + curl -s -X POST "https://gitea.com/api/v1/repos/gitea/helm-gitea/issues" -H "Authorization: token ${{ secrets.ISSUE_RW_TOKEN }}" -H "Content-Type: application/json" -d "$JSON_DATA" + else + curl -s -X PATCH "https://gitea.com/api/v1/repos/gitea/helm-gitea/issues/$ISSUE_NUMBER" -H "Authorization: token ${{ secrets.ISSUE_RW_TOKEN }}" -H "Content-Type: application/json" -d "$JSON_DATA" + fi diff --git a/charts/helm-gitea/.gitea/workflows/commitlint.yml b/charts/helm-gitea/.gitea/workflows/commitlint.yml new file mode 100644 index 0000000..cb0c11e --- /dev/null +++ b/charts/helm-gitea/.gitea/workflows/commitlint.yml @@ -0,0 +1,19 @@ +name: commitlint + +on: + pull_request: + branches: + - "*" + types: + - opened + - edited + +jobs: + check-and-test: + runs-on: ubuntu-latest + container: commitlint/commitlint:19.8.1 + steps: + - uses: actions/checkout@v4 + - name: check PR title + run: | + echo "${{ gitea.event.pull_request.title }}" | commitlint --config .commitlintrc.json diff --git a/charts/helm-gitea/.gitea/workflows/release-version.yml b/charts/helm-gitea/.gitea/workflows/release-version.yml new file mode 100644 index 0000000..7406a4a --- /dev/null +++ b/charts/helm-gitea/.gitea/workflows/release-version.yml @@ -0,0 +1,96 @@ +name: generate-chart + +on: + push: + tags: + - "*" + +env: + # renovate: datasource=docker depName=alpine/helm + HELM_VERSION: "3.17.3" + +jobs: + generate-chart-publish: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: install tools + run: | + apt update -y + apt install -y curl ca-certificates curl gnupg + # helm + curl -O https://get.helm.sh/helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz + tar -xzf helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz + mv linux-amd64/helm /usr/local/bin/ + rm -rf linux-amd64 helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz + helm version + # docker + install -m 0755 -d /etc/apt/keyrings + curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg + chmod a+r /etc/apt/keyrings/docker.gpg + echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null + apt update -y + apt install -y python3 python3-pip apt-transport-https docker-ce-cli + pip install awscli --break-system-packages + + - name: Import GPG key + id: import_gpg + uses: https://github.com/crazy-max/ghaction-import-gpg@v6 + with: + gpg_private_key: ${{ secrets.GPGSIGN_KEY }} + passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }} + fingerprint: CC64B1DB67ABBEECAB24B6455FC346329753F4B0 + + # Using helm gpg plugin as 'helm package --sign' has issues with gpg2: https://github.com/helm/helm/issues/2843 + - name: package chart + run: | + echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | docker login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} --password-stdin + # FIXME: use upstream after https://github.com/technosophos/helm-gpg/issues/1 is solved + helm plugin install https://github.com/pat-s/helm-gpg + helm dependency build + helm package --version "${GITHUB_REF#refs/tags/v}" ./ + mkdir gitea + mv gitea*.tgz gitea/ + curl -s -L -o gitea/index.yaml https://dl.gitea.com/charts/index.yaml + helm repo index gitea/ --url https://dl.gitea.com/charts --merge gitea/index.yaml + # push to dockerhub + echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | helm registry login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} registry-1.docker.io --password-stdin + helm push gitea/gitea-${GITHUB_REF#refs/tags/v}.tgz oci://registry-1.docker.io/giteacharts + helm registry logout registry-1.docker.io + + - name: aws credential configure + uses: https://github.com/aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.AWS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ secrets.AWS_REGION }} + + - name: Copy files to S3 and clear cache + run: | + aws s3 sync gitea/ s3://${{ secrets.AWS_S3_BUCKET}}/charts/ + + release-gitea: + # needs: generate-chart-publish + runs-on: ubuntu-latest + container: docker.io/thegeeklab/git-sv:2.0.1 + steps: + - name: install tools + run: | + apk add -q --update --no-cache nodejs + - uses: actions/checkout@v4 + with: + fetch-tags: true + fetch-depth: 0 + + - name: Create changelog + run: | + git sv current-version + git sv release-notes -t ${GITHUB_REF#refs/tags/} -o CHANGELOG.md + sed -i '1,2d' CHANGELOG.md # remove version + cat CHANGELOG.md + + - name: Release + uses: https://github.com/akkuman/gitea-release-action@v1 + with: + body_path: CHANGELOG.md + token: "${{ secrets.RELEASE_TOKEN }}" diff --git a/charts/helm-gitea/.gitea/workflows/test-pr.yml b/charts/helm-gitea/.gitea/workflows/test-pr.yml new file mode 100644 index 0000000..a7994b1 --- /dev/null +++ b/charts/helm-gitea/.gitea/workflows/test-pr.yml @@ -0,0 +1,45 @@ +name: check-and-test + +on: + pull_request: + branches: + - "*" + push: + branches: + - main + +env: + # renovate: datasource=github-releases depName=helm-unittest/helm-unittest + HELM_UNITTEST_VERSION: "v0.8.2" + +jobs: + check-and-test: + runs-on: ubuntu-latest + container: alpine/helm:3.17.3 + steps: + - name: install tools + run: | + apk update + apk add --update bash make nodejs npm yamllint ncurses + - uses: actions/checkout@v4 + - name: install chart dependencies + run: helm dependency build + - name: lint + run: helm lint + - name: template + run: helm template --debug gitea-helm . + - name: prepare unit test environment + run: | + helm plugin install --version ${{ env.HELM_UNITTEST_VERSION }} https://github.com/helm-unittest/helm-unittest + git submodule update --init --recursive + - name: unit tests + env: + TERM: xterm + run: | + make unittests + - name: verify readme + run: | + make readme + git diff --exit-code --name-only README.md + - name: yaml lint + uses: https://github.com/ibiqlik/action-yamllint@v3 diff --git a/charts/helm-gitea/.gitignore b/charts/helm-gitea/.gitignore new file mode 100644 index 0000000..10261af --- /dev/null +++ b/charts/helm-gitea/.gitignore @@ -0,0 +1,4 @@ +charts/ +node_modules/ +.DS_Store +unittests/*/__snapshot__/ diff --git a/charts/helm-gitea/.gitmodules b/charts/helm-gitea/.gitmodules new file mode 100644 index 0000000..4f2bd05 --- /dev/null +++ b/charts/helm-gitea/.gitmodules @@ -0,0 +1,12 @@ +[submodule "unittests/bash/bats"] + path = unittests/bash/bats + url = https://github.com/bats-core/bats-core.git +[submodule "unittests/bash/test_helper/bats-support"] + path = unittests/bash/test_helper/bats-support + url = https://github.com/bats-core/bats-support.git +[submodule "unittests/bash/test_helper/bats-assert"] + path = unittests/bash/test_helper/bats-assert + url = https://github.com/bats-core/bats-assert.git +[submodule "unittests/bash/test_helper/bats-mock"] + path = unittests/bash/test_helper/bats-mock + url = https://github.com/jasonkarns/bats-mock.git diff --git a/charts/helm-gitea/.gitsv/config.yaml b/charts/helm-gitea/.gitsv/config.yaml new file mode 100644 index 0000000..d14607e --- /dev/null +++ b/charts/helm-gitea/.gitsv/config.yaml @@ -0,0 +1,57 @@ +version: '1.1' # Configuration version. + +versioning: + update-major: [breaking] # Commit types used to bump major. + update-minor: [feat, perf] # Commit types used to bump minor. + update-patch: [build, ci, chore, fix, perf, refactor, test] # Commit types used to bump patch. + # When type is not present on update rules and is unknown (not mapped on commit message types); + # if ignore-unknown=false bump patch, if ignore-unknown=true do not bump version. + ignore-unknown: false + +tag: + pattern: 'v%d.%d.%d' # Pattern used to create git tag. + filter: '' # Enables you to filter for considerable tags using git pattern syntax. + +release-notes: + sections: # Array with each section of release note. Check template section for more information. + - name: Breaking Changes + section-type: breaking-changes + - name: Features # Name used on section. + section-type: commits # Type of the section, supported types: commits, breaking-changes. + commit-types: [feat, perf] # Commit types for commit section-type, one commit type cannot be in more than one section. + - name: Bug Fixes + section-type: commits + commit-types: [fix] + - name: Maintenance + section-type: commits + commit-types: [chore, refactor] + - name: Documentation + commit-types: [docs] + section-type: commits + - name: CI + commit-types: [ci] + section-type: commits + +branches: # Git branches config. + prefix: ([a-z]+\/)? # Prefix used on branch name, it should be a regex group. + suffix: (-.*)? # Suffix used on branch name, it should be a regex group. + disable-issue: false # Set true if there is no need to recover issue id from branch name. + skip: [] # List of branch names ignored on commit message validation. + skip-detached: false # Set true if a detached branch should be ignored on commit message validation. + +commit-message: + # Supported commit types. + types: [build, ci, chore, docs, feat, fix, perf, refactor, revert, style, test] + header-selector: '' # You can put in a regex here to select only a certain part of the commit message. Please define a regex group 'header'. + scope: + # Define supported scopes, if blank, scope will not be validated, if not, only scope listed will be valid. + # Don't forget to add "" on your list if you need to define scopes and keep it optional. + values: [] + footer: + issue: # Use "issue: {}" if you wish to disable issue footer. + key: jira # Name used to define an issue on footer metadata. + key-synonyms: [Jira, JIRA] # Supported variations for footer metadata. + use-hash: false # If false, use : separator. If true, use # separator. + add-value-prefix: '' # Add a prefix to issue value. + issue: + regex: '[A-Z]+-[0-9]+' # Regex for issue id. diff --git a/charts/gitea-bitnami/charts/common/.helmignore b/charts/helm-gitea/.helmignore similarity index 57% rename from charts/gitea-bitnami/charts/common/.helmignore rename to charts/helm-gitea/.helmignore index d0e1084..43ad621 100644 --- a/charts/gitea-bitnami/charts/common/.helmignore +++ b/charts/helm-gitea/.helmignore @@ -5,6 +5,7 @@ # Common VCS dirs .git/ .gitignore +.gitmodules .bzr/ .bzrignore .hg/ @@ -20,7 +21,21 @@ .idea/ *.tmproj .vscode/ -# img folder -img/ -# Changelog -CHANGELOG.md +node_modules/ +.npmrc +package.json +package-lock.json +.gitea/ +Makefile +.markdownlintignore +.markdownlint.yaml +.drone.yml +CONTRIBUTING.md +unittests/ +.editorconfig +.prettierignore +.yamllint +CODEOWNERS +renovate.json5 +.commitlintrc.json +.gitsv/ diff --git a/charts/helm-gitea/.markdownlint.yaml b/charts/helm-gitea/.markdownlint.yaml new file mode 100644 index 0000000..977349e --- /dev/null +++ b/charts/helm-gitea/.markdownlint.yaml @@ -0,0 +1,150 @@ +# markdownlint YAML configuration +# https://github.com/DavidAnson/markdownlint/blob/main/schema/.markdownlint.yaml + +# Default state for all rules +default: true + +# Path to configuration file to extend +extends: null + +# MD003/heading-style/header-style - Heading style +MD003: + # Heading style + style: "atx" + +# MD004/ul-style - Unordered list style +MD004: + style: "dash" + +# MD007/ul-indent - Unordered list indentation +MD007: + # Spaces for indent + indent: 2 + # Whether to indent the first level of the list + start_indented: false + +# MD009/no-trailing-spaces - Trailing spaces +MD009: + # Spaces for line break + br_spaces: 2 + # Allow spaces for empty lines in list items + list_item_empty_lines: false + # Include unnecessary breaks + strict: false + +# MD010/no-hard-tabs - Hard tabs +MD010: + # Include code blocks + code_blocks: true + +# MD012/no-multiple-blanks - Multiple consecutive blank lines +MD012: + # Consecutive blank lines + maximum: 1 + +# MD013/line-length - Line length +MD013: + # Number of characters + line_length: 200 + # Number of characters for headings + heading_line_length: 100 + # Number of characters for code blocks + code_block_line_length: 80 + # Include code blocks + code_blocks: false + # Include tables + tables: false + # Include headings + headings: true + # Include headings + headers: true + # Strict length checking + strict: false + # Stern length checking + stern: false + +# MD022/blanks-around-headings/blanks-around-headers - Headings should be surrounded by blank lines +MD022: + # Blank lines above heading + lines_above: 1 + # Blank lines below heading + lines_below: 1 + +# MD024/no-duplicate-heading/no-duplicate-header - Multiple headings with the same content +MD024: + # Only check sibling headings + siblings_only: true + +# MD025/single-title/single-h1 - Multiple top-level headings in the same document +MD025: + # Heading level + level: 1 + # RegExp for matching title in front matter + front_matter_title: "^\\s*title\\s*[:=]" + +# MD026/no-trailing-punctuation - Trailing punctuation in heading +MD026: + # Punctuation characters + punctuation: ".,;:!。,;:!" + +# MD029/ol-prefix - Ordered list item prefix +MD029: + # List style + style: "one_or_ordered" + +# MD030/list-marker-space - Spaces after list markers +MD030: + # Spaces for single-line unordered list items + ul_single: 1 + # Spaces for single-line ordered list items + ol_single: 1 + # Spaces for multi-line unordered list items + ul_multi: 1 + # Spaces for multi-line ordered list items + ol_multi: 1 + +# MD033/no-inline-html - Inline HTML +MD033: + # Allowed elements + allowed_elements: [details, summary] + +# MD035/hr-style - Horizontal rule style +MD035: + # Horizontal rule style + style: "---" + +# MD036/no-emphasis-as-heading/no-emphasis-as-header - Emphasis used instead of a heading +MD036: + # Punctuation characters + punctuation: ".,;:!?。,;:!?" + +# MD041/first-line-heading/first-line-h1 - First line in a file should be a top-level heading +MD041: + # Heading level + level: 1 + # RegExp for matching title in front matter + front_matter_title: "^\\s*title\\s*[:=]" + +# MD044/proper-names - Proper names should have the correct capitalization +MD044: + # List of proper names + names: + - docker.gitea.com + - Gitea + - PostgreSQL + - Memcached + - Prometheus + - Git + - GitOps + # Include code blocks + code_blocks: false + +# MD046/code-block-style - Code block style +MD046: + # Block style + style: "fenced" + +# MD048/code-fence-style - Code fence style +MD048: + # Code fence syle + style: "backtick" diff --git a/charts/helm-gitea/.markdownlintignore b/charts/helm-gitea/.markdownlintignore new file mode 100644 index 0000000..0ba7dcd --- /dev/null +++ b/charts/helm-gitea/.markdownlintignore @@ -0,0 +1,4 @@ +.gitea/ +node_modules/ +charts/ +Chart.lock \ No newline at end of file diff --git a/charts/helm-gitea/.npmrc b/charts/helm-gitea/.npmrc new file mode 100644 index 0000000..b6f27f1 --- /dev/null +++ b/charts/helm-gitea/.npmrc @@ -0,0 +1 @@ +engine-strict=true diff --git a/charts/helm-gitea/.prettierignore b/charts/helm-gitea/.prettierignore new file mode 100644 index 0000000..fafeafa --- /dev/null +++ b/charts/helm-gitea/.prettierignore @@ -0,0 +1 @@ +Chart.lock \ No newline at end of file diff --git a/charts/helm-gitea/.vscode/extensions.json b/charts/helm-gitea/.vscode/extensions.json new file mode 100644 index 0000000..9ae1a2e --- /dev/null +++ b/charts/helm-gitea/.vscode/extensions.json @@ -0,0 +1,9 @@ +{ + "recommendations": [ + "yzhang.markdown-all-in-one", + "DavidAnson.vscode-markdownlint", + "Tim-Koehler.helm-intellisense", + "esbenp.prettier-vscode", + "jetmartin.bats" + ] + } diff --git a/charts/helm-gitea/.vscode/settings.json b/charts/helm-gitea/.vscode/settings.json new file mode 100644 index 0000000..505d1c7 --- /dev/null +++ b/charts/helm-gitea/.vscode/settings.json @@ -0,0 +1,15 @@ +{ + "yaml.schemas": { + "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.8.2/schema/helm-testsuite.json": [ + "/unittests/**/*.yaml" + ] + }, + "yaml.schemaStore.enable": true, + "[bats]": { + "editor.tabSize": 2 + }, + "[shellscript]": { + "files.eol": "\n", + "editor.tabSize": 2 + } +} diff --git a/charts/helm-gitea/.yamllint b/charts/helm-gitea/.yamllint new file mode 100644 index 0000000..51306d2 --- /dev/null +++ b/charts/helm-gitea/.yamllint @@ -0,0 +1,20 @@ +--- +extends: default + +ignore: | + .yamllint + node_modules + templates + unittests/bash + +rules: + truthy: + allowed-values: ['true', 'false'] + check-keys: False + level: error + line-length: disable + document-start: disable + comments: + min-spaces-from-content: 1 + braces: + max-spaces-inside: 2 diff --git a/charts/helm-gitea/CODEOWNERS b/charts/helm-gitea/CODEOWNERS new file mode 100644 index 0000000..304f3e6 --- /dev/null +++ b/charts/helm-gitea/CODEOWNERS @@ -0,0 +1 @@ +charts/* @justusbunsi @pat-s \ No newline at end of file diff --git a/charts/helm-gitea/CONTRIBUTING.md b/charts/helm-gitea/CONTRIBUTING.md new file mode 100644 index 0000000..e514c12 --- /dev/null +++ b/charts/helm-gitea/CONTRIBUTING.md @@ -0,0 +1,80 @@ +# Contribution Guidelines + +Any type of contribution is welcome; from new features, bug fixes, tests, +refactorings for easier maintainability or documentation improvements. + +## Development environment + +- [`node`](https://nodejs.org/en/) at least current LTS +- [`helm`](https://helm.sh/docs/intro/install/) +- `make` is optional; you may call the commands directly + +When using Visual Studio Code as IDE, a [ready-to-use profile](.vscode/) is available. + +## Documentation Requirements + +The `README.md` must include all configuration options. +The parameters section is generated by extracting the parameter annotations from the `values.yaml` file, by using [this tool](https://github.com/bitnami-labs/readme-generator-for-helm). + +If changes were made on configuration options, run `make readme` to update the README file. + +The ToC is created via the VSCode [Markdown All in One](https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one) extension which can/must also be used used to update it. + +## Pull Request Requirements + +When submitting or updating a PR: + +- make sure it passes CI builds. +- do not make independent changes in one PR. +- try to avoid rebases. They make code reviews for large PRs and comments much harder. +- if applicable, use the PR template for a well-defined PR description. +- clearly mark breaking changes. +- format the PR title following the [conventional commits](https://www.conventionalcommits.org/en/v1.0.0/#specification) schema + +## Local development & testing + +For local development and testing of pull requests, the following workflow can +be used: + +1. Install `minikube` and `helm`. +1. Start a `minikube` cluster via `minikube start`. +1. From the `gitea/helm-gitea` directory execute the following command. + This will install the dependencies listed in `Chart.yml` and deploy the current state of the helm chart found locally. + If you want to test a branch, make sure to switch to the respective branch first. + `helm install --dependency-update gitea . -f values.yaml`. +1. Gitea is now deployed in `minikube`. + To access it, it's port needs to be forwarded first from `minikube` to localhost first via `kubectl --namespace +default port-forward svc/gitea-http 3000:3000`. + Now Gitea is accessible at [http://localhost:3000](http://localhost:3000). + +### Unit tests + +#### Helm templating tests + +```bash +# install the unittest plugin +$ helm plugin install https://github.com/helm-unittest/helm-unittest + +# run the Helm unittests +make unittests-helm +``` + +See [plugin documentation](https://github.com/helm-unittest/helm-unittest/blob/main/DOCUMENT.md) for usage instructions. + +#### Bash script tests + +```bash +# setup the environment +git submodule update --init --recursive + +# run the bash tests +make unittests-bash +``` + +See [bats documentation](https://bats-core.readthedocs.io/en/stable/) for usage instructions. + +## Release process + +1. Ensure you have [`git-sv`](https://github.com/thegeeklab/git-sv) installed +1. Run `git sv tag` (this creates and pushes the tag following the respective next tag according to the semver commits issued since the last release) +1. Let CI do it's work diff --git a/charts/helm-gitea/Chart.lock b/charts/helm-gitea/Chart.lock new file mode 100644 index 0000000..b513d78 --- /dev/null +++ b/charts/helm-gitea/Chart.lock @@ -0,0 +1,15 @@ +dependencies: +- name: postgresql + repository: oci://registry-1.docker.io/bitnamicharts + version: 16.7.4 +- name: postgresql-ha + repository: oci://registry-1.docker.io/bitnamicharts + version: 16.0.6 +- name: valkey-cluster + repository: oci://registry-1.docker.io/bitnamicharts + version: 3.0.10 +- name: valkey + repository: oci://registry-1.docker.io/bitnamicharts + version: 3.0.9 +digest: sha256:aeafc605b86db0ff3999cd808af1c9ca3a6a749aae0d42f2fdae89803b3bb60a +generated: "2025-05-25T00:23:17.804516988Z" diff --git a/charts/helm-gitea/Chart.yaml b/charts/helm-gitea/Chart.yaml new file mode 100644 index 0000000..55946b9 --- /dev/null +++ b/charts/helm-gitea/Chart.yaml @@ -0,0 +1,55 @@ +apiVersion: v2 +name: gitea +description: Gitea Helm chart for Kubernetes +type: application +version: 0.0.0 +# renovate datasource=github-releases depName=go-gitea/gitea extractVersion=^v(?.*)$ +appVersion: 1.23.8 +icon: https://gitea.com/assets/img/logo.svg + +keywords: + - git + - issue tracker + - code review + - wiki + - gitea + - gogs +sources: + - https://gitea.com/gitea/helm-gitea + - https://github.com/go-gitea/gitea + - https://docker.gitea.com/gitea +maintainers: + - name: Charlie Drage + email: charlie@charliedrage.com + - name: Gitea Authors + email: maintainers@gitea.io + - name: Konrad Lother + email: konrad.lother@novum-rgi.de + - name: Lucas Hahn + email: lucas.hahn@novum-rgi.de + - name: Steven Kriegler + email: sk.bunsenbrenner@gmail.com + - name: Patrick Schratz + email: patrick.schratz@gmail.com + +dependencies: + # https://github.com/bitnami/charts/blob/main/bitnami/postgresql + - name: postgresql + repository: oci://registry-1.docker.io/bitnamicharts + version: 16.7.4 + condition: postgresql.enabled + # https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml + - name: postgresql-ha + repository: oci://registry-1.docker.io/bitnamicharts + version: 16.0.6 + condition: postgresql-ha.enabled + # https://github.com/bitnami/charts/blob/main/bitnami/valkey-cluster/Chart.yaml + - name: valkey-cluster + repository: oci://registry-1.docker.io/bitnamicharts + version: 3.0.10 + condition: valkey-cluster.enabled + # https://github.com/bitnami/charts/blob/main/bitnami/valkey/Chart.yaml + - name: valkey + repository: oci://registry-1.docker.io/bitnamicharts + version: 3.0.9 + condition: valkey.enabled diff --git a/charts/helm-gitea/LICENSE b/charts/helm-gitea/LICENSE new file mode 100644 index 0000000..bbf54de --- /dev/null +++ b/charts/helm-gitea/LICENSE @@ -0,0 +1,24 @@ +MIT License + +Copyright (c) 2020 The Gitea Authors +Copyright (c) 2020 NOVUM-RGI +Copyright (c) 2019 - 2020 Charlie Drage +Copyright (c) 2018 John Felten + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/charts/helm-gitea/Makefile b/charts/helm-gitea/Makefile new file mode 100644 index 0000000..3fc00c2 --- /dev/null +++ b/charts/helm-gitea/Makefile @@ -0,0 +1,26 @@ +SHELL := /usr/bin/env bash -O globstar + +.PHONY: prepare-environment +prepare-environment: + npm install + +.PHONY: readme +readme: prepare-environment + npm run readme:parameters + npm run readme:lint + +.PHONY: unittests +unittests: unittests-helm unittests-bash + +.PHONY: unittests-helm +unittests-helm: + helm unittest --strict -f 'unittests/helm/**/*.yaml' -f 'unittests/helm/values-conflicting-checks.yaml' ./ + +.PHONY: unittests-bash +unittests-bash: + ./unittests/bash/bats/bin/bats --pretty ./unittests/bash/tests/**/*.bats + +.PHONY: helm +update-helm-dependencies: + helm dependency update + \ No newline at end of file diff --git a/charts/helm-gitea/README.md b/charts/helm-gitea/README.md new file mode 100644 index 0000000..1c62299 --- /dev/null +++ b/charts/helm-gitea/README.md @@ -0,0 +1,1579 @@ +# Gitea Helm Chart + +- [Introduction](#introduction) +- [Update and versioning policy](#update-and-versioning-policy) +- [Dependencies](#dependencies) + - [HA Dependencies](#ha-dependencies) + - [Non-HA Dependencies](#non-ha-dependencies) + - [Dependency Versioning](#dependency-versioning) +- [Installing](#installing) +- [High Availability](#high-availability) +- [Limit resources](#limit-resources) +- [Configuration](#configuration) + - [Default Configuration](#default-configuration) + - [Database defaults](#database-defaults) + - [Server defaults](#server-defaults) + - [Metrics defaults](#metrics-defaults) + - [Rootless Defaults](#rootless-defaults) + - [Session, Cache and Queue](#session-cache-and-queue) + - [Single-Pod Configurations](#single-pod-configurations) + - [Additional _app.ini_ settings](#additional-appini-settings) + - [User defined environment variables in app.ini](#user-defined-environment-variables-in-appini) + - [External Database](#external-database) + - [Ports and external url](#ports-and-external-url) + - [ClusterIP](#clusterip) + - [SSH and Ingress](#ssh-and-ingress) + - [SSH on crio based kubernetes cluster](#ssh-on-crio-based-kubernetes-cluster) + - [Cache](#cache) + - [Persistence](#persistence) + - [Admin User](#admin-user) + - [LDAP Settings](#ldap-settings) + - [OAuth2 Settings](#oauth2-settings) +- [Configure commit signing](#configure-commit-signing) +- [Metrics and profiling](#metrics-and-profiling) + - [Secure Metrics Endpoint](#secure-metrics-endpoint) +- [Pod annotations](#pod-annotations) +- [Themes](#themes) +- [Renovate](#renovate) +- [Parameters](#parameters) + - [Global](#global) + - [strategy](#strategy) + - [Image](#image) + - [Security](#security) + - [Service](#service) + - [Ingress](#ingress) + - [deployment](#deployment) + - [ServiceAccount](#serviceaccount) + - [Persistence](#persistence-1) + - [Init](#init) + - [Signing](#signing) + - [Gitea](#gitea) + - [LivenessProbe](#livenessprobe) + - [ReadinessProbe](#readinessprobe) + - [StartupProbe](#startupprobe) + - [valkey-cluster](#valkey-cluster) + - [valkey](#valkey) + - [PostgreSQL HA](#postgresql-ha) + - [PostgreSQL](#postgresql) + - [Advanced](#advanced) +- [Contributing](#contributing) +- [Upgrading](#upgrading) + +[Gitea](https://gitea.com) is a community managed lightweight code hosting solution written in Go. +It is published under the MIT license. + +## Introduction + +This helm chart has taken some inspiration from [jfelten's helm chart](https://github.com/jfelten/gitea-helm-chart). +Yet it takes a completely different approach in providing a database and cache with dependencies. +Additionally, this chart allows to provide LDAP and admin user configuration with values. + +## Update and versioning policy + +The Gitea helm chart versioning does not follow Gitea's versioning. +The latest chart version can be looked up in [https://dl.gitea.com/charts](https://dl.gitea.com/charts) or in the [repository releases](https://gitea.com/gitea/helm-gitea/releases). + +The chart aims to follow Gitea's releases closely. +There might be times when the chart is behind the latest Gitea release. +This might be caused by different reasons, most often due to time constraints of the maintainers (remember, all work here is done voluntarily in the spare time of people). +If you're eager to use the latest Gitea version earlier than this chart catches up, then change the tag in `values.yaml` to the latest Gitea version. +Note that besides the exact Gitea version one can also use the `:1` tag to automatically follow the latest Gitea version. +This should be combined with `image.pullPolicy: "Always"`. +Important: Using the `:1` will also automatically jump to new minor release (e.g. from 1.13 to 1.14) which may eventually cause incompatibilities if major/breaking changes happened between these versions. +This is due to Gitea not strictly following [semantic versioning](https://semver.org/#summary) as breaking changes do not increase the major version. +I.e., "minor" version bumps are considered "major". +Yet most often no issues will be encountered and the chart maintainers aim to communicate early/upfront if this would be the case. + +## Dependencies + +Gitea is most performant when run with an external database and cache. +This chart provides those dependencies via sub-charts. +Users can also configure their own external providers via the configuration. + +### HA Dependencies + +These dependencies are enabled by default: + +- PostgreSQL HA ([Bitnami PostgreSQL-HA](https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml)) +- Valkey-Cluster ([Bitnami Valkey-Cluster](https://github.com/bitnami/charts/blob/main/bitnami/valkey-cluster/Chart.yaml)) + +### Non-HA Dependencies + +Alternatively, the following non-HA replacements are available: + +- PostgreSQL ([Bitnami PostgreSQL]()) +- Valkey ([Bitnami Valkey]()) + +### Dependency Versioning + +Updates of sub-charts will be incorporated into the Gitea chart as they are released. +The reasoning behind this is that new users of the chart will start with the most recent sub-chart dependency versions. + +**Note** If you want to stay on an older appVersion of a sub-chart dependency (e.g. PostgreSQL), you need to override the image tag in your `values.yaml` file. +In fact, we recommend to do so right from the start to be independent of major sub-chart dependency changes as they are released. +There is no need to update to every new PostgreSQL major version - you can happily skip some and do larger updates when you are ready for them. + +We recommend to use a rolling tag like `:-debian-` to incorporate minor and patch updates for the respective major version as they are released. +Alternatively you can also use a versioning helper tool like [renovate](https://github.com/renovatebot/renovate). + +Please double-check the image repository and available tags in the sub-chart: + +- [PostgreSQL-HA](https://hub.docker.com/r/bitnami/postgresql-repmgr/tags) +- [PostgreSQL](https://hub.docker.com/r/bitnami/postgresql/tags) +- [Valkey Cluster](https://hub.docker.com/r/bitnami/valkey-cluster/tags) +- [Valkey](https://hub.docker.com/r/bitnami/valkey/tags) + +and look up the image tag which fits your needs on Dockerhub. + +## Installing + +```sh +helm repo add gitea-charts https://dl.gitea.com/charts/ +helm repo update +helm install gitea gitea-charts/gitea +``` + +Alternatively, the chart can also be installed from Dockerhub (since v9.6.0) + +```sh +helm install gitea oci://registry-1.docker.io/giteacharts/gitea +``` + +To avoid potential Dockerhub rate limits, the chart can also be installed via [docker.gitea.com](https://blog.gitea.com/docker-registry-update/) (since v9.6.0) + +```sh +helm install gitea oci://docker.gitea.com/charts/gitea +``` + +When upgrading, please refer to the [Upgrading](#upgrading) section at the bottom of this document for major and breaking changes. + +## High Availability + +Since version 9.0.0 this chart supports running Gitea and it's dependencies in HA mode. +Care must be taken for production use as not all implementation details of Gitea core are officially HA-ready yet. + +Deploying a HA-ready Gitea instance requires some effort including using HA-ready dependencies. +See the [HA Setup](docs/ha-setup.md) document for more details. + +## Limit resources + +If the application is deployed with a CPU resource limit, Prometheus may throw a CPU throttling warning for the +application. This has more or less to do with the fact that the application finds the number of CPUs of the host, but +cannot use the available CPU time to perform computing operations. + +The application must be informed that despite several CPUs only a part (limit) of the available computing time is +available. As this is a Golang application, this can be implemented using `GOMAXPROCS`. The following example is one way +of defining `GOMAXPROCS` automatically based on the defined CPU limit like `1000m`. Please keep in mind, that the CFS +rate of `100ms` - default on each kubernetes node, is also very important to avoid CPU throttling. + +Further information about this topic can be found [here](https://kanishk.io/posts/cpu-throttling-in-containerized-go-apps/). + +> [!NOTE] +> The environment variable `GOMAXPROCS` is set automatically, when a CPU limit is defined. An explicit configuration is +> not anymore required. +> +> Please note that a CPU limit < `1000m` can also lead to CPU throttling. Please read the linked documentation carefully. + +```yaml +deployment: + env: + # Will be automatically defined! + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + divisor: "1" # Is required for GitDevOps systems like ArgoCD/Flux. Otherwise throw the system a diff error. (k8s-default=1) + resource: limits.cpu + +resources: + limits: + cpu: 1000m + memory: 512Mi + requests: + cpu: 100m + memory: 512Mi +``` + +## Configuration + +Gitea offers lots of configuration options. +This is fully described in the [Gitea Cheat Sheet](https://docs.gitea.com/administration/config-cheat-sheet). + +```yaml +gitea: + config: + APP_NAME: "Gitea: With a cup of tea." + repository: + ROOT: "~/gitea-repositories" + repository.pull-request: + WORK_IN_PROGRESS_PREFIXES: "WIP:,[WIP]:" +``` + +### Default Configuration + +This chart will set a few defaults in the Gitea configuration based on the service and ingress settings. +All defaults can be overwritten in `gitea.config`. + +INSTALL_LOCK is always set to true, since we want to configure Gitea with this helm chart and everything is taken care of. + +_All default settings are made directly in the generated `app.ini`, not in the Values._ + +#### Database defaults + +If a builtIn database is enabled the database configuration is set automatically. +For example, PostgreSQL builtIn will appear in the `app.ini` as: + +```ini +[database] +DB_TYPE = postgres +HOST = RELEASE-NAME-postgresql.default.svc.cluster.local:5432 +NAME = gitea +PASSWD = gitea +USER = gitea +``` + +#### Server defaults + +The server defaults are a bit more complex. +If ingress is `enabled`, the `ROOT_URL`, `DOMAIN` and `SSH_DOMAIN` will be set accordingly. +`HTTP_PORT` always defaults to `3000` as well as `SSH_PORT` to `22`. + +```ini +[server] +APP_DATA_PATH = /data +DOMAIN = git.example.com +HTTP_PORT = 3000 +PROTOCOL = http +ROOT_URL = http://git.example.com +SSH_DOMAIN = git.example.com +SSH_LISTEN_PORT = 22 +SSH_PORT = 22 +ENABLE_PPROF = false +``` + +#### Metrics defaults + +The Prometheus `/metrics` endpoint is disabled by default. + +```ini +[metrics] +ENABLED = false +``` + +#### Rootless Defaults + +If `.Values.image.rootless: true`, then the following will occur. In case you use `.Values.image.fullOverride`, check that this works in your image: + +- `$HOME` becomes `/data/gitea/git` + + [see deployment.yaml](./templates/gitea/deployment.yaml) template inside (init-)container "env" declarations + +- `START_SSH_SERVER: true` (Unless explicity overwritten by `gitea.config.server.START_SSH_SERVER`) + + [see \_helpers.tpl](./templates/_helpers.tpl) in `gitea.inline_configuration.defaults.server` definition + +- `SSH_LISTEN_PORT: 2222` (Unless explicity overwritten by `gitea.config.server.SSH_LISTEN_PORT`) + + [see \_helpers.tpl](./templates/_helpers.tpl) in `gitea.inline_configuration.defaults.server` definition + +- `SSH_LOG_LEVEL` environment variable is not injected into the container + + [see deployment.yaml](./templates/gitea/deployment.yaml) template inside container "env" declarations + +#### Session, Cache and Queue + +The session, cache and queue settings are set to use the built-in Valkey Cluster sub-chart dependency. +If Valkey Cluster is disabled, the chart will fall back to the Gitea defaults which use "memory" for `session` and `cache` and "level" for `queue`. + +While these will work and even not cause immediate issues after startup, **they are not recommended for production use**. +Reasons being that a single pod will take on all the work for `session` and `cache` tasks in its available memory. +It is likely that the pod will run out of memory or will face substantial memory spikes, depending on the workload. +External tools such as `valkey-cluster` or `memcached` handle these workloads much better. + +### Single-Pod Configurations + +If HA is not needed/desired, the following configurations can be used to deploy a single-pod Gitea instance. + +1. For a production-ready single-pod Gitea instance without external dependencies (using the chart dependency `postgresql` and `valkey`): + +
+ + values.yml + + ```yaml + valkey-cluster: + enabled: false + valkey: + enabled: true + postgresql: + enabled: true + postgresql-ha: + enabled: false + + persistence: + enabled: true + + gitea: + config: + database: + DB_TYPE: postgres + indexer: + ISSUE_INDEXER_TYPE: bleve + REPO_INDEXER_ENABLED: true + ``` + +
+ +2. For a minimal DEV installation (using the built-in sqlite DB instead of Postgres): + + This will result in a single-pod Gitea instance _without any dependencies and persistence_. + **Do not use this configuration for production use**. + +
+ + values.yml + + ```yaml + valkey-cluster: + enabled: false + valkey: + enabled: false + postgresql: + enabled: false + postgresql-ha: + enabled: false + + persistence: + enabled: false + + gitea: + config: + database: + DB_TYPE: sqlite3 + session: + PROVIDER: memory + cache: + ADAPTER: memory + queue: + TYPE: level + ``` + +
+ +### Additional _app.ini_ settings + +> **The [generic](https://docs.gitea.com/administration/config-cheat-sheet#overall-default) +> section cannot be defined that way.** + +Some settings inside _app.ini_ (like passwords or whole authentication configurations) must be considered sensitive and therefore should not be passed via plain text inside the _values.yaml_ file. +In times of _GitOps_ the values.yaml could be stored in a Git repository where sensitive data should never be accessible. + +The Helm Chart supports this approach and let the user define custom sources like +Kubernetes Secrets to be loaded as environment variables during _app.ini_ creation or update. + +```yaml +gitea: + additionalConfigSources: + - secret: + secretName: gitea-app-ini-oauth + - configMap: + name: gitea-app-ini-plaintext +``` + +This would mount the two additional volumes (`oauth` and `some-additionals`) from different sources to the init container where the _app.ini_ gets updated. +All files mounted that way will be read and converted to environment variables and then added to the _app.ini_ using [environment-to-ini](https://github.com/go-gitea/gitea/tree/main/contrib/environment-to-ini). + +The key of such additional source represents the section inside the _app.ini_. +The value for each key can be multiline ini-like definitions. + +In example, the referenced `gitea-app-ini-plaintext` could look like this. + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: gitea-app-ini-plaintext +data: + session: | + PROVIDER=memory + SAME_SITE=strict + cron.archive_cleanup: | + ENABLED=true +``` + +Or when using a Kubernetes secret, having the same data structure: + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: gitea-security-related-configuration +type: Opaque +stringData: + security: | + PASSWORD_COMPLEXITY=off + session: | + SAME_SITE=strict +``` + +#### User defined environment variables in app.ini + +Users are able to define their own environment variables, which are loaded into the containers. +We also support to directly interact with the generated _app.ini_. + +To inject self defined variables into the _app.ini_ a certain format needs to be honored. +This is described in detail on the [env-to-ini](https://github.com/go-gitea/gitea/tree/main/contrib/environment-to-ini) page. + +Prior to Gitea 1.20 and Chart 9.0.0 the helm chart had a custom prefix `ENV_TO_INI`. +After the support for a custom prefix was removed in Gite core, the prefix was changed to `GITEA`. + +For example a database setting needs to have the following format: + +```yaml +gitea: + additionalConfigFromEnvs: + - name: GITEA__DATABASE__HOST + value: my.own.host + - name: GITEA__DATABASE__PASSWD + valueFrom: + secretKeyRef: + name: postgres-secret + key: password +``` + +Priority (highest to lowest) for defining app.ini variables: + +1. Environment variables prefixed with `GITEA` +1. Additional config sources +1. Values defined in `gitea.config` + +### External Database + +Any external database listed in [https://docs.gitea.com/installation/database-prep](https://docs.gitea.com/installation/database-prep) can be used instead of the built-in PostgreSQL. +In fact, it is **highly recommended** to use an external database to ensure a stable Gitea installation longterm. + +If an external database is used, no matter which type, make sure to set `postgresql.enabled` to `false` to disable the use of the built-in PostgreSQL. + +```yaml +gitea: + config: + database: + DB_TYPE: mysql + HOST: + NAME: gitea + USER: root + PASSWD: gitea + SCHEMA: gitea + +postgresql: + enabled: false + +postgresql-ha: + enabled: false +``` + +### Ports and external url + +By default port `3000` is used for web traffic and `22` for ssh. +Those can be changed: + +```yaml +service: + http: + port: 3000 + ssh: + port: 22 +``` + +This helm chart automatically configures the clone urls to use the correct ports. +You can change these ports by hand using the `gitea.config` dict. +However you should know what you're doing. + +### ClusterIP + +By default the `clusterIP` will be set to `None`, which is the default for headless services. +However if you want to omit the clusterIP field in the service, use the following values: + +```yaml +service: + http: + type: ClusterIP + port: 3000 + clusterIP: + ssh: + type: ClusterIP + port: 22 + clusterIP: +``` + +### SSH and Ingress + +If you're using ingress and want to use SSH, keep in mind, that ingress is not able to forward SSH Ports. +You will need a LoadBalancer like `metallb` and a setting in your ssh service annotations. + +```yaml +service: + ssh: + annotations: + metallb.universe.tf/allow-shared-ip: test +``` + +### SSH on crio based kubernetes cluster + +If you use `crio` as container runtime it is not possible to read from a remote repository. +You should get an error message like this: + +```bash +$ git clone git@k8s-demo.internal:admin/test.git +Cloning into 'test'... +Connection reset by 192.168.179.217 port 22 +fatal: Could not read from remote repository. + +Please make sure you have the correct access rights +and the repository exists. +``` + +To solve this problem add the capability `SYS_CHROOT` to the `securityContext`. +More about this issue [here](https://gitea.com/gitea/helm-gitea/issues/161). + +### Cache + +The cache handling is done via `valkey-cluster` (via the `bitnami` chart) by default. +This deployment is HA-ready but can also be used for single-pod deployments. +By default, 6 replicas are deployed for a working `valkey-cluster` deployment. +Many cloud providers offer a managed valkey service, which can be used instead of the built-in `valkey-cluster`. + +```yaml +valkey-cluster: + enabled: true +``` + +⚠️ The valkey charts [do not work well with special characters in the password](https://gitea.com/gitea/helm-chart/issues/690). +Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed. + +### Persistence + +Gitea will be deployed as a deployment. +By simply enabling the persistence and setting the storage class according to your cluster everything else will be taken care of. +The following example will create a PVC as a part of the deployment. + +Please note, that an empty `storageClass` in the persistence will result in kubernetes using your default storage class. + +If you want to use your own storage class define it as follows: + +```yaml +persistence: + enabled: true + storageClass: myOwnStorageClass +``` + +If you want to manage your own PVC you can simply pass the PVC name to the chart. + +```yaml +persistence: + enabled: true + claimName: MyAwesomeGiteaClaim +``` + +In case that persistence has been disabled it will simply use an empty dir volume. + +PostgreSQL handles the persistence in the exact same way. +You can interact with the postgres settings as displayed in the following example: + +```yaml +postgresql: + persistence: + enabled: true + existingClaim: MyAwesomeGiteaPostgresClaim +``` + +### Admin User + +This chart enables you to create a default admin user. +It is also possible to update the password for this user by upgrading or redeploying the chart. +It is not possible to delete an admin user after it has been created. +This has to be done in the ui. +You cannot use `admin` as username. + +```yaml +gitea: + admin: + username: "MyAwesomeGiteaAdmin" + password: "AReallyAwesomeGiteaPassword" + email: "gi@tea.com" +``` + +You can also use an existing Secret to configure the admin user: + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: gitea-admin-secret +type: Opaque +stringData: + username: MyAwesomeGiteaAdmin + password: AReallyAwesomeGiteaPassword +``` + +```yaml +gitea: + admin: + existingSecret: gitea-admin-secret +``` + +Whether you use the existing Secret or specify a user name and password, there are three modes for how the admin user password is created or set. + +- `keepUpdated` (the default) will set the admin user password, and reset it to the defined value every time the pod is recreated. +- `initialOnlyNoReset` will set the admin user password when creating it, but never try to update the password. +- `initialOnlyRequireReset` will set the admin user password when creating it, never update it, and require that the password be changed at the initial login. + +These modes can be set like the following: + +```yaml +gitea: + admin: + passwordMode: initialOnlyRequireReset +``` + +### LDAP Settings + +Like the admin user the LDAP settings can be updated. +All LDAP values from are available. + +Multiple LDAP sources can be configured with additional LDAP list items. + +```yaml +gitea: + ldap: + - name: MyAwesomeGiteaLdap + securityProtocol: unencrypted + host: "127.0.0.1" + port: "389" + userSearchBase: ou=Users,dc=example,dc=com + userFilter: sAMAccountName=%s + adminFilter: CN=Admin,CN=Group,DC=example,DC=com + emailAttribute: mail + bindDn: CN=ldap read,OU=Spezial,DC=example,DC=com + bindPassword: JustAnotherBindPw + usernameAttribute: CN + publicSSHKeyAttribute: publicSSHKey +``` + +You can also use an existing secret to set the `bindDn` and `bindPassword`: + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: gitea-ldap-secret +type: Opaque +stringData: + bindDn: CN=ldap read,OU=Spezial,DC=example,DC=com + bindPassword: JustAnotherBindPw +``` + +```yaml +gitea: + ldap: + - existingSecret: gitea-ldap-secret + ... +``` + +⚠️ Some options are just flags and therefore don't have any values. +If they are defined in `gitea.ldap` configuration, they will be passed to the Gitea CLI without any value. +Affected options: + +- notActive +- skipTlsVerify +- allowDeactivateAll +- synchronizeUsers +- attributesInBind + +### OAuth2 Settings + +Like the admin user, OAuth2 settings can be updated and disabled but not deleted. +Deleting OAuth2 settings has to be done in the ui. +All OAuth2 values, which are documented [here](https://docs.gitea.com/administration/command-line#admin), are +available. + +Multiple OAuth2 sources can be configured with additional OAuth list items. + +```yaml +gitea: + oauth: + - name: "MyAwesomeGiteaOAuth" + provider: "openidConnect" + key: "hello" + secret: "world" + autoDiscoverUrl: "https://gitea.example.com/.well-known/openid-configuration" + #useCustomUrls: + #customAuthUrl: + #customTokenUrl: + #customProfileUrl: + #customEmailUrl: +``` + +You can also use an existing secret to set the `key` and `secret`: + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: gitea-oauth-secret +type: Opaque +stringData: + key: hello + secret: world +``` + +```yaml +gitea: + oauth: + - name: "MyAwesomeGiteaOAuth" + existingSecret: gitea-oauth-secret + ... +``` + +## Configure commit signing + +When using the rootless image the gpg key folder is not persistent by default. +If you consider using signed commits for internal Gitea activities (e.g. initial commit), you'd need to provide a signing key. +Prior to [PR186](https://gitea.com/gitea/helm-gitea/pulls/186), imported keys had to be re-imported once the container got replaced by another. + +The mentioned PR introduced a new configuration object `signing` allowing you to configure prerequisites for commit signing. +By default this section is disabled to maintain backwards compatibility. + +```yaml +signing: + enabled: false + gpgHome: /data/git/.gnupg +``` + +Regardless of the used container image the `signing` object allows to specify a private gpg key. +Either using the `signing.privateKey` to define the key inline, or refer to an existing secret containing the key data by using `signing.existingSecret`. + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: custom-gitea-gpg-key +type: Opaque +stringData: + privateKey: |- + -----BEGIN PGP PRIVATE KEY BLOCK----- + ... + -----END PGP PRIVATE KEY BLOCK----- +``` + +```yaml +signing: + existingSecret: custom-gitea-gpg-key +``` + +To use the gpg key, Gitea needs to be configured accordingly. +A detailed description can be found in the [official Gitea documentation](https://docs.gitea.com/administration/signing#general-configuration). + +## Metrics and profiling + +A Prometheus `/metrics` endpoint on the `HTTP_PORT` and `pprof` profiling endpoints on port 6060 can be enabled under `gitea`. +Beware that the metrics endpoint is exposed via the ingress, manage access using ingress annotations for example. + +To deploy the `ServiceMonitor`, you first need to ensure that you have deployed `prometheus-operator` and its [CRDs](https://github.com/prometheus-operator/prometheus-operator#customresourcedefinitions). + +```yaml +gitea: + metrics: + enabled: true + serviceMonitor: + enabled: true + + config: + server: + ENABLE_PPROF: true +``` + +### Secure Metrics Endpoint + +Metrics endpoint `/metrics` can be secured by using `Bearer` token authentication. + +**Note:** Providing non-empty `TOKEN` value will also require authentication for `ServiceMonitor`. + +```yaml +gitea: + metrics: + token: "secure-token" + enabled: true + serviceMonitor: + enabled: true +``` + +## Pod annotations + +Annotations can be added to the Gitea pod. + +```yaml +gitea: + podAnnotations: {} +``` + +## Themes + +Custom themes can be added via k8s secrets and referencing them in `values.yaml`. + +The [http provider](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) is useful here. + +```yaml +extraVolumes: + - name: gitea-themes + secret: + secretName: gitea-themes + +extraVolumeMounts: + - name: gitea-themes + readOnly: true + mountPath: "/data/gitea/public/assets/css" +``` + +The secret can be created via `terraform`: + +```hcl +resource "kubernetes_secret" "gitea-themes" { + metadata { + name = "gitea-themes" + namespace = "gitea" + } + + data = { + "my-theme.css" = data.http.gitea-theme-light.body + "my-theme-dark.css" = data.http.gitea-theme-dark.body + "my-theme-auto.css" = data.http.gitea-theme-auto.body + } + + type = "Opaque" +} + + +data "http" "gitea-theme-light" { + url = "" + + request_headers = { + Accept = "application/json" + } +} + +data "http" "gitea-theme-dark" { + url = "" + + request_headers = { + Accept = "application/json" + } +} + +data "http" "gitea-theme-auto" { + url = "" + + request_headers = { + Accept = "application/json" + } +} +``` + +or natively via `kubectl`: + +```bash +kubectl create secret generic gitea-themes --from-file={{FULL-PATH-TO-CSS}} --namespace gitea +``` + +## Renovate + +To be able to use a digest value which is automatically updated by `Renovate` a [customManager](https://docs.renovatebot.com/modules/manager/regex/) is required. +Here's an examplary `values.yml` definition which makes use of a digest: + +```yaml +image: + repository: gitea/gitea + tag: 1.20.2 + digest: sha256:6e3b85a36653894d6741d0aefb41dfaac39044e028a42e0a520cc05ebd7bfc3f +``` + +By default Renovate adds digest after the `tag`. +To comply with the Gitea helm chart definition of the digest parameter, a "customManagers" definition is required: + +```json +"customManagers": [ + { + "customType": "regex", + "description": "Apply an explicit gitea digest field match", + "fileMatch": ["values\\.ya?ml"], + "matchStrings": ["(?gitea\\/gitea)\\n(?\\s+)tag: (?[^@].*?)\\n\\s+digest: (?sha256:[a-f0-9]+)"], + "datasourceTemplate": "docker", + "autoReplaceStringTemplate": "{{depName}}\n{{indentation}}tag: {{newValue}}\n{{indentation}}digest: {{#if newDigest}}{{{newDigest}}}{{else}}{{{currentDigest}}}{{/if}}" + } +] +``` + +## Parameters + +### Global + +| Name | Description | Value | +| ------------------------- | ---------------------------------------------------------------------------------------------- | ----- | +| `global.imageRegistry` | global image registry override | `""` | +| `global.imagePullSecrets` | global image pull secrets override; can be extended by `imagePullSecrets` | `[]` | +| `global.storageClass` | global storage class override | `""` | +| `global.hostAliases` | global hostAliases which will be added to the pod's hosts files | `[]` | +| `namespace` | An explicit namespace to deploy Gitea into. Defaults to the release namespace if not specified | `""` | +| `replicaCount` | number of replicas for the deployment | `1` | + +### strategy + +| Name | Description | Value | +| --------------------------------------- | -------------- | --------------- | +| `strategy.type` | strategy type | `RollingUpdate` | +| `strategy.rollingUpdate.maxSurge` | maxSurge | `100%` | +| `strategy.rollingUpdate.maxUnavailable` | maxUnavailable | `0` | +| `clusterDomain` | cluster domain | `cluster.local` | + +### Image + +| Name | Description | Value | +| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------ | +| `image.registry` | image registry, e.g. gcr.io,docker.io | `docker.gitea.com` | +| `image.repository` | Image to start for this pod | `gitea` | +| `image.tag` | Visit: [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated). Defaults to `appVersion` within Chart.yaml. | `""` | +| `image.digest` | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest` | `""` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `image.rootless` | Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher | `true` | +| `image.fullOverride` | Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).** | `""` | +| `imagePullSecrets` | Secret to use for pulling the image | `[]` | + +### Security + +| Name | Description | Value | +| ---------------------------- | --------------------------------------------------------------- | ------ | +| `podSecurityContext.fsGroup` | Set the shared file system group for all containers in the pod. | `1000` | +| `containerSecurityContext` | Security context | `{}` | +| `securityContext` | Run init and Gitea containers as a specific securityContext | `{}` | +| `podDisruptionBudget` | Pod disruption budget | `{}` | + +### Service + +| Name | Description | Value | +| --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| `service.http.type` | Kubernetes service type for web traffic | `ClusterIP` | +| `service.http.port` | Port number for web traffic | `3000` | +| `service.http.clusterIP` | ClusterIP setting for http autosetup for deployment is None | `None` | +| `service.http.loadBalancerIP` | LoadBalancer IP setting | `nil` | +| `service.http.nodePort` | NodePort for http service | `nil` | +| `service.http.externalTrafficPolicy` | If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation | `nil` | +| `service.http.externalIPs` | External IPs for service | `nil` | +| `service.http.ipFamilyPolicy` | HTTP service dual-stack policy | `nil` | +| `service.http.ipFamilies` | HTTP service dual-stack familiy selection,for dual-stack parameters see official kubernetes [dual-stack concept documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/). | `nil` | +| `service.http.loadBalancerSourceRanges` | Source range filter for http loadbalancer | `[]` | +| `service.http.annotations` | HTTP service annotations | `{}` | +| `service.http.labels` | HTTP service additional labels | `{}` | +| `service.http.loadBalancerClass` | Loadbalancer class | `nil` | +| `service.ssh.type` | Kubernetes service type for ssh traffic | `ClusterIP` | +| `service.ssh.port` | Port number for ssh traffic | `22` | +| `service.ssh.clusterIP` | ClusterIP setting for ssh autosetup for deployment is None | `None` | +| `service.ssh.loadBalancerIP` | LoadBalancer IP setting | `nil` | +| `service.ssh.nodePort` | NodePort for ssh service | `nil` | +| `service.ssh.externalTrafficPolicy` | If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation | `nil` | +| `service.ssh.externalIPs` | External IPs for service | `nil` | +| `service.ssh.ipFamilyPolicy` | SSH service dual-stack policy | `nil` | +| `service.ssh.ipFamilies` | SSH service dual-stack familiy selection,for dual-stack parameters see official kubernetes [dual-stack concept documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/). | `nil` | +| `service.ssh.hostPort` | HostPort for ssh service | `nil` | +| `service.ssh.loadBalancerSourceRanges` | Source range filter for ssh loadbalancer | `[]` | +| `service.ssh.annotations` | SSH service annotations | `{}` | +| `service.ssh.labels` | SSH service additional labels | `{}` | +| `service.ssh.loadBalancerClass` | Loadbalancer class | `nil` | + +### Ingress + +| Name | Description | Value | +| -------------------------------- | ------------------------------- | ----------------- | +| `ingress.enabled` | Enable ingress | `false` | +| `ingress.className` | DEPRECATED: Ingress class name. | `""` | +| `ingress.pathType` | Ingress Path Type | `Prefix` | +| `ingress.annotations` | Ingress annotations | `{}` | +| `ingress.hosts[0].host` | Default Ingress host | `git.example.com` | +| `ingress.hosts[0].paths[0].path` | Default Ingress path | `/` | +| `ingress.tls` | Ingress tls settings | `[]` | + +### deployment + +| Name | Description | Value | +| ------------------------------------------ | ------------------------------------------------------ | ----- | +| `resources` | Kubernetes resources | `{}` | +| `schedulerName` | Use an alternate scheduler, e.g. "stork" | `""` | +| `nodeSelector` | NodeSelector for the deployment | `{}` | +| `tolerations` | Tolerations for the deployment | `[]` | +| `affinity` | Affinity for the deployment | `{}` | +| `topologySpreadConstraints` | TopologySpreadConstraints for the deployment | `[]` | +| `dnsConfig` | dnsConfig for the deployment | `{}` | +| `priorityClassName` | priorityClassName for the deployment | `""` | +| `deployment.env` | Additional environment variables to pass to containers | `[]` | +| `deployment.terminationGracePeriodSeconds` | How long to wait until forcefully kill the pod | `60` | +| `deployment.labels` | Labels for the deployment | `{}` | +| `deployment.annotations` | Annotations for the Gitea deployment to be created | `{}` | + +### ServiceAccount + +| Name | Description | Value | +| --------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `serviceAccount.create` | Enable the creation of a ServiceAccount | `false` | +| `serviceAccount.name` | Name of the created ServiceAccount, defaults to release name. Can also link to an externally provided ServiceAccount that should be used. | `""` | +| `serviceAccount.automountServiceAccountToken` | Enable/disable auto mounting of the service account token | `false` | +| `serviceAccount.imagePullSecrets` | Image pull secrets, available to the ServiceAccount | `[]` | +| `serviceAccount.annotations` | Custom annotations for the ServiceAccount | `{}` | +| `serviceAccount.labels` | Custom labels for the ServiceAccount | `{}` | + +### Persistence + +| Name | Description | Value | +| ------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ---------------------- | +| `persistence.enabled` | Enable persistent storage | `true` | +| `persistence.create` | Whether to create the persistentVolumeClaim for shared storage | `true` | +| `persistence.mount` | Whether the persistentVolumeClaim should be mounted (even if not created) | `true` | +| `persistence.claimName` | Use an existing claim to store repository information | `gitea-shared-storage` | +| `persistence.size` | Size for persistence to store repo information | `10Gi` | +| `persistence.accessModes` | AccessMode for persistence | `["ReadWriteOnce"]` | +| `persistence.labels` | Labels for the persistence volume claim to be created | `{}` | +| `persistence.annotations.helm.sh/resource-policy` | Resource policy for the persistence volume claim | `keep` | +| `persistence.storageClass` | Name of the storage class to use | `nil` | +| `persistence.subPath` | Subdirectory of the volume to mount at | `nil` | +| `persistence.volumeName` | Name of persistent volume in PVC | `""` | +| `extraContainers` | Additional sidecar containers to run in the pod | `[]` | +| `extraVolumes` | Additional volumes to mount to the Gitea deployment | `[]` | +| `extraContainerVolumeMounts` | Mounts that are only mapped into the Gitea runtime/main container, to e.g. override custom templates. | `[]` | +| `extraInitVolumeMounts` | Mounts that are only mapped into the init-containers. Can be used for additional preconfiguration. | `[]` | +| `extraVolumeMounts` | **DEPRECATED** Additional volume mounts for init containers and the Gitea main container | `[]` | + +### Init + +| Name | Description | Value | +| ------------------------------------------ | ------------------------------------------------------------------------------------ | ------------ | +| `initPreScript` | Bash shell script copied verbatim to the start of the init-container. | `""` | +| `initContainersScriptsVolumeMountPath` | Path to mount the scripts consumed from the Secrets | `/usr/sbinx` | +| `initContainers.resources.limits` | initContainers.limits Kubernetes resource limits for init containers | `{}` | +| `initContainers.resources.requests.cpu` | initContainers.requests.cpu Kubernetes cpu resource limits for init containers | `100m` | +| `initContainers.resources.requests.memory` | initContainers.requests.memory Kubernetes memory resource limits for init containers | `128Mi` | + +### Signing + +| Name | Description | Value | +| ------------------------ | ----------------------------------------------------------------- | ------------------ | +| `signing.enabled` | Enable commit/action signing | `false` | +| `signing.gpgHome` | GPG home directory | `/data/git/.gnupg` | +| `signing.privateKey` | Inline private gpg key for signed internal Git activity | `""` | +| `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""` | + +### Gitea + +| Name | Description | Value | +| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | -------------------- | +| `gitea.admin.username` | Username for the Gitea admin user | `gitea_admin` | +| `gitea.admin.existingSecret` | Use an existing secret to store admin user credentials | `nil` | +| `gitea.admin.password` | Password for the Gitea admin user | `r8sA8CPHD9!bt6d` | +| `gitea.admin.email` | Email for the Gitea admin user | `gitea@local.domain` | +| `gitea.admin.passwordMode` | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated | `keepUpdated` | +| `gitea.metrics.enabled` | Enable Gitea metrics | `false` | +| `gitea.metrics.token` | used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public. | `nil` | +| `gitea.metrics.serviceMonitor.enabled` | Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. | `false` | +| `gitea.metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. | `""` | +| `gitea.metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping. | `[]` | +| `gitea.metrics.serviceMonitor.scheme` | HTTP scheme to use for scraping. For example `http` or `https`. Default is http. | `""` | +| `gitea.metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used. | `""` | +| `gitea.metrics.serviceMonitor.tlsConfig` | TLS configuration to use when scraping the metric endpoint by Prometheus. | `{}` | +| `gitea.ldap` | LDAP configuration | `[]` | +| `gitea.oauth` | OAuth configuration | `[]` | +| `gitea.config.server.SSH_PORT` | SSH port for rootlful Gitea image | `22` | +| `gitea.config.server.SSH_LISTEN_PORT` | SSH port for rootless Gitea image | `2222` | +| `gitea.additionalConfigSources` | Additional configuration from secret or configmap | `[]` | +| `gitea.additionalConfigFromEnvs` | Additional configuration sources from environment variables | `[]` | +| `gitea.podAnnotations` | Annotations for the Gitea pod | `{}` | +| `gitea.ssh.logLevel` | Configure OpenSSH's log level. Only available for root-based Gitea image. | `INFO` | + +### LivenessProbe + +| Name | Description | Value | +| ----------------------------------------- | ------------------------------------------------ | ------ | +| `gitea.livenessProbe.enabled` | Enable liveness probe | `true` | +| `gitea.livenessProbe.tcpSocket.port` | Port to probe for liveness | `http` | +| `gitea.livenessProbe.initialDelaySeconds` | Initial delay before liveness probe is initiated | `200` | +| `gitea.livenessProbe.timeoutSeconds` | Timeout for liveness probe | `1` | +| `gitea.livenessProbe.periodSeconds` | Period for liveness probe | `10` | +| `gitea.livenessProbe.successThreshold` | Success threshold for liveness probe | `1` | +| `gitea.livenessProbe.failureThreshold` | Failure threshold for liveness probe | `10` | + +### ReadinessProbe + +| Name | Description | Value | +| ------------------------------------------ | ------------------------------------------------- | ------ | +| `gitea.readinessProbe.enabled` | Enable readiness probe | `true` | +| `gitea.readinessProbe.tcpSocket.port` | Port to probe for readiness | `http` | +| `gitea.readinessProbe.initialDelaySeconds` | Initial delay before readiness probe is initiated | `5` | +| `gitea.readinessProbe.timeoutSeconds` | Timeout for readiness probe | `1` | +| `gitea.readinessProbe.periodSeconds` | Period for readiness probe | `10` | +| `gitea.readinessProbe.successThreshold` | Success threshold for readiness probe | `1` | +| `gitea.readinessProbe.failureThreshold` | Failure threshold for readiness probe | `3` | + +### StartupProbe + +| Name | Description | Value | +| ---------------------------------------- | ----------------------------------------------- | ------- | +| `gitea.startupProbe.enabled` | Enable startup probe | `false` | +| `gitea.startupProbe.tcpSocket.port` | Port to probe for startup | `http` | +| `gitea.startupProbe.initialDelaySeconds` | Initial delay before startup probe is initiated | `60` | +| `gitea.startupProbe.timeoutSeconds` | Timeout for startup probe | `1` | +| `gitea.startupProbe.periodSeconds` | Period for startup probe | `10` | +| `gitea.startupProbe.successThreshold` | Success threshold for startup probe | `1` | +| `gitea.startupProbe.failureThreshold` | Failure threshold for startup probe | `10` | + +### valkey-cluster + +Valkey cluster and [Valkey](#valkey) cannot be enabled at the same time. + +| Name | Description | Value | +| ------------------------------------- | -------------------------------------------------------------------- | ------- | +| `valkey-cluster.enabled` | Enable valkey cluster | `true` | +| `valkey-cluster.usePassword` | Whether to use password authentication | `false` | +| `valkey-cluster.usePasswordFiles` | Whether to mount passwords as files instead of environment variables | `false` | +| `valkey-cluster.cluster.nodes` | Number of valkey cluster master nodes | `3` | +| `valkey-cluster.cluster.replicas` | Number of valkey cluster master node replicas | `0` | +| `valkey-cluster.service.ports.valkey` | Port of Valkey service | `6379` | + +### valkey + +Valkey and [Valkey cluster](#valkey-cluster) cannot be enabled at the same time. + +| Name | Description | Value | +| ------------------------------------ | ------------------------------------------- | ------------ | +| `valkey.enabled` | Enable valkey standalone or replicated | `false` | +| `valkey.architecture` | Whether to use standalone or replication | `standalone` | +| `valkey.global.valkey.password` | Required password | `changeme` | +| `valkey.master.count` | Number of Valkey master instances to deploy | `1` | +| `valkey.master.service.ports.valkey` | Port of Valkey service | `6379` | + +### PostgreSQL HA + +| Name | Description | Value | +| ------------------------------------------- | ---------------------------------------------------------------- | ----------- | +| `postgresql-ha.enabled` | Enable PostgreSQL HA | `true` | +| `postgresql-ha.postgresql.password` | Password for the `gitea` user (overrides `auth.password`) | `changeme4` | +| `postgresql-ha.global.postgresql.database` | Name for a custom database to create (overrides `auth.database`) | `gitea` | +| `postgresql-ha.global.postgresql.username` | Name for a custom user to create (overrides `auth.username`) | `gitea` | +| `postgresql-ha.global.postgresql.password` | Name for a custom password to create (overrides `auth.password`) | `gitea` | +| `postgresql-ha.postgresql.repmgrPassword` | Repmgr Password | `changeme2` | +| `postgresql-ha.postgresql.postgresPassword` | postgres Password | `changeme1` | +| `postgresql-ha.pgpool.adminPassword` | pgpool adminPassword | `changeme3` | +| `postgresql-ha.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `5432` | +| `postgresql-ha.persistence.size` | PVC Storage Request for PostgreSQL HA volume | `10Gi` | + +### PostgreSQL + +| Name | Description | Value | +| ------------------------------------------------------- | ---------------------------------------------------------------- | ------- | +| `postgresql.enabled` | Enable PostgreSQL | `false` | +| `postgresql.global.postgresql.auth.password` | Password for the `gitea` user (overrides `auth.password`) | `gitea` | +| `postgresql.global.postgresql.auth.database` | Name for a custom database to create (overrides `auth.database`) | `gitea` | +| `postgresql.global.postgresql.auth.username` | Name for a custom user to create (overrides `auth.username`) | `gitea` | +| `postgresql.global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `5432` | +| `postgresql.primary.persistence.size` | PVC Storage Request for PostgreSQL volume | `10Gi` | + +### Advanced + +| Name | Description | Value | +| ------------------ | ------------------------------------------------------------------ | --------- | +| `checkDeprecation` | Set it to false to skip this basic validation check. | `true` | +| `test.enabled` | Set it to false to disable test-connection Pod. | `true` | +| `test.image.name` | Image name for the wget container used in the test-connection Pod. | `busybox` | +| `test.image.tag` | Image tag for the wget container used in the test-connection Pod. | `latest` | +| `extraDeploy` | Array of extra objects to deploy with the release | `[]` | + +## Contributing + +Expected workflow is: Fork -> Patch -> Push -> Pull Request + +See [CONTRIBUTORS GUIDE](CONTRIBUTING.md) for details. + +## Upgrading + +This section lists major and breaking changes of each Helm Chart version. +Please read them carefully to upgrade successfully, especially the change of the **default database backend**! +If you miss this, blindly upgrading may delete your Postgres instance and you may lose your data! + +
+ +To 12.0.0 + + + +**Breaking changes** + + +- Outsourced "Actions" related configuration. + To deploy and use "Actions", please see the new dedicated chart at . + It is maintained by a seperate maintainer group and hasn't seen a release yet (at the time of the 12.0 release). + Feel encouraged to contribute if "Actions" is important to you! + + This change was made to avoid overloading the existing helm chart, which is already quite large in size and configuration options. + In addition, the existing maintainers team was not actively using "Actions" which slowed down development and community contributions. + While the new chart is still young (and waiting for contributions! and maintainers), we believe that it is the best way moving forward for both parts. +- Migrated from Redis/Redis-cluster to Valkey/Valkey-cluster charts (#775). + While marked as breaking, there is no need to migrate data. + The cache will start to refill automatically. +- Migrated ingress from `networking.k8s.io/v1beta` to `networking.k8s.io/v1`. + We didn't make any changes to the syntax, so the upgrade should be seamless. + +
+ +
+ +To 11.0.0 + + + +**Breaking changes** + + +- Update Gitea to 1.23.x (review the [1.23 release blog post](https://blog.gitea.com/release-of-1.23.0/) for all application breaking changes) +- Update PostgreSQL sub-chart dependencies to appVersion 17.x +- Update Redis sub-chart to version 20.x (appVersion 7.4) + Although there are no breaking changes in the Redis Chart itself, it updates Redis from `7.2` to `7.4`. We recommend checking the release notes: + - [Redis Chart release notes (starting with v20.0.0)](https://github.com/bitnami/charts/blob/HEAD/bitnami/redis/CHANGELOG.md#2000-2024-08-09). + - [Redis 7.4 release notes](https://raw.githubusercontent.com/redis/redis/7.4/00-RELEASENOTES). +- Update Redis Cluster sub-chart to version 11.x (appVersion 7.4) + Although there are no breaking changes in the Redis Chart itself, it updates Redis from `7.2` to `7.4`. We recommend checking the release notes: + - [Redis Chart release notes (starting with v11.0.0)](https://github.com/bitnami/charts/blob/HEAD/bitnami/redis-cluster/CHANGELOG.md#1100-2024-08-09). + - [Redis 7.4 release notes](https://raw.githubusercontent.com/redis/redis/7.4/00-RELEASENOTES). +
+ +
+ +To 10.0.0 + + + +**Breaking changes** + + +- Update PostgreSQL sub-chart dependencies to appVersion 16.x +- Update to sub-charts versioning approach: Users are encouraged to pin the version tag of the sub-chart dependencies to a major appVersion. + This avoids issues during chart upgrades and allows to incorporate new sub-chart versions as they are released. + Please see the new [README section describing the versioning approach for sub-chart versions](#dependency-versioning). + +
+ +
+ +To 9.6.0 + +Chart 9.6.0 ships with Gitea 1.21.0. +While there are no breaking changes in the chart, please check the changes of the [1.21 release blog post](https://blog.gitea.com/release-of-1.21.0/). + +
+ +
+ +To 9.0.0 + +This chart release comes with many breaking changes while aiming for a HA-ready setup. +Please go through all of them carefully to perform a successful upgrade. +Here's a brief summary again, followed by more detailed migration instructions: + +- Switch from `Statefulset` to `Deployment` +- Switch from `Memcached` to `redis-cluster` as the default session and queue provider +- Switch from `postgres` to `postgres-ha` as the default database provider +- A chart-internal PVC bootstrapping logic + - New `persistence.mount`: whether to mount an existent PVC (even if not creating it) + - New `persistence.create`: whether to create a new PVC + - Renamed `persistence.existingClaim` to `persistence.claimName` + +While not required, we recommend to start with a RWX PV for new installations. +A RWX volume is required for installation aiming for HA. + +If you want to stay with a pre-existing RWO PV, you need to set + +- `persistence.mount=true` +- `persistence.create=false` +- `persistence.claimName` to the name of your existing PVC. + +If you do not, Gitea will create a new PVC which will in turn create a new PV. +If this happened to you by accident, you can still recover your data by setting using the settings from above in a subsequent run. + +If you want to stay with a `memcache` instead of `redis-cluster`, you need to deploy `memcache` manually (e.g. from [bitnami](https://github.com/bitnami/charts/tree/main/bitnami/memcached)) and set + +- `cache.HOST = ""` +- `cache.ADAPTER = "memcache"` +- `session.PROVIDER = "memcache"` +- `session.PROVIDER_CONFIG = ""` +- `queue.TYPE = "memcache"` +- `queue.CONN_STR = ""` + +The `memcache` connection string has the scheme `memcache://:`, e.g. `gitea-memcached.gitea.svc.cluster.local:11211`. +The first item here (``) will be different compared to the example if you deploy `memcache` yourself. + +The above changes are motivated by the idea to tidy dependencies but also have HA-ready ones at the same time. +The previous `memcache` default was not HA-ready, hence we decided to switch to `redis-cluster` by default. + +If you are coming from an existing deployment and [#356](https://gitea.com/gitea/helm-gitea/issues/356) is still open, you need to set the config sections for `cache`, `session` and `queue` explicitly: + +```yaml +gitea: + config: + session: + PROVIDER: redis-cluster + PROVIDER_CONFIG: redis+cluster://:gitea@gitea-valkey-cluster-headless..svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s& + + cache: + ENABLED: true + ADAPTER: redis-cluster + HOST: redis+cluster://:gitea@gitea-valkey-cluster-headless..svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s& + + queue: + TYPE: redis + CONN_STR: redis+cluster://:gitea@gitea-valkey-cluster-headless..svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s& +``` + + + +**Switch to rootless image by default** + + +If you are facing errors like `WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED` due to this automatic transition: +Have a look at [this discussion](https://gitea.com/gitea/helm-gitea/issues/487#issue-220660) and either set `image.rootless: false` or manually update your `~/.ssh/known_hosts` file(s). + + + +**Transitioning from a RWO to RWX Persistent Volume** + + +If you want to switch to a RWX volume and go for HA, you need to + +1. Backup the data stored under `/data` +2. Let the chart create a new RWX PV (or do it statically yourself) +3. Restore the backup to the same location in the new PV + + + +**Transitioning from Postgres to Postgres HA** + + +If you are running with a non-HA PG DB from a previous chart release, you need to set + +- `postgresql-ha.enabled=false` +- `postgresql.enabled=true` + +This is needed to stay with your existing single-instance DB (as the HA-variant is the new default). + + + +**Change of env-to-ini prefix** + + +Before this release, the env-to-ini prefix was `ENV_TO_INI__`. +This allowed a clear distinction between user-provided and chart-provided env-to-ini variables. +Due to the removal custom prefix feature in the upstream implementation of env-to-ini, the prefix has been changed to the default `GITEA__`. + +If you previously had defined env vars that had the `ENV_TO_INI__` prefix, you need to change them to `GITEA__` in order for them to be picked up by the chart. + +
+ +
+ +To 8.0.0 + +### Removal of MariaDB and MySQL DB chart dependencies + +In this version support for DB chart dependencies of MySQL and MariaDB have been removed to simplify the maintenance of the helm chart. +External MySQL and MariaDB databases are still supported and will be in the future. + +### Postgres Update from v11 to v15 + +This Chart version updates the Postgres chart dependency and subsequently Postgres from v11 to v15. +Please read the [Postgres Release Notes](https://www.postgresql.org/docs/release/) for version-specific changes. +With respect to `values.yaml`, parameters `username`, `database` and `password` have been regrouped under `auth` and slightly renamed. +`persistence` has also been regrouped under the `primary` key. +Please adjust your `values.yaml` accordingly. + +**Attention**: The Postgres upgrade is not automatically handled by the chart and must be done by yourself. +See [this comment](https://gitea.com/gitea/helm-gitea/issues/452#issuecomment-740885) for an extensive walkthrough. +We again highly encourage users to use an external (managed) database for production instances. + +
+ +
+ +To 7.0.0 + +### Private GPG key configuration for Gitea signing actions + +Having `signing.enabled=true` now requires to use either `signing.privateKey` or `signing.existingSecret` so that the Chart can automatically prepare the GPG key for Gitea internal signing actions. +See [Configure commit signing](#configure-commit-signing) for details. + +
+ +
+ +To 6.0.0 + +### Different volume mounts for init-containers and runtime container + +**The `extraVolumeMounts` is deprecated** in favor of `extraInitVolumeMounts` and `extraContainerVolumeMounts`. +You can now have different mounts for the initialization phase and Gitea runtime. +The deprecated `extraVolumeMounts` will still be available for the time being and is mounted into every container. +If you want to switch to the new settings and want to mount specific volumes into all containers, you have to configure their mount points within both new settings. + +**Combining values from the deprecated setting with values from the new settings is not possible.** + +### New `enabled` flag for `startupProbe` + +Prior to this version the `startupProbe` was just a commented sample within the `values.yaml`. +With the migration to an auto-generated [Parameters](#parameters) section, a new parameter `gitea.startupProbe.enabled` has been introduced set to +`false` by default. + +If you are using the `startupProbe` you need to add that new parameter and set it to `true`. +Otherwise, your defined probe won't be considered after the upgrade. + +
+ +
+ +To 5.0.0 + +> 💥 The Helm Chart now requires Gitea versions of at least 1.11.0. + +### Enable Dependencies + +The values to enable the dependencies, such as PostgreSQL, Memcached, MySQL and MariaDB have been moved from `gitea.database.builtIn.` to the dependency values. + +You can now enable the dependencies as followed: + +```yaml +memcached: + enabled: true + +postgresql: + enabled: true + +mysql: + enabled: false + +mariadb: + enabled: false +``` + +### App.ini generation + +The app.ini generation has changed and now utilizes the environment-to-ini script provided by newer Gitea versions. +This change ensures, that the app.ini is now persistent. + +### Secret Key generation + +Gitea secret keys (SECRET_KEY, INTERNAL_TOKEN, JWT_SECRET) are now generated automatically in certain situations: + +- New install: By default the secrets are created automatically. + If you provide secrets via `gitea.config` they will be used instead of automatic generation. +- Existing installs: The secrets won't be deployed, neither via configuration nor via auto generation. + We explicitly prevent to set new secrets. + +> 💡 It would be possible to set new secret keys manually by entering the running container and rewriting the app.ini by hand. +> However, this it is not advisable to do so for existing installations. +> Certain settings like _LDAP_ would not be readable anymore. + +### Probes + +`gitea.customLivenessProbe`, `gitea.customReadinessProbe` and `gitea.customStartupProbe` have been removed. + +They are replaced by the settings `gitea.livenessProbe`, `gitea.readinessProbe` and `gitea.startupProbe` which are now fully configurable and used _as-is_ for +a Chart deployment. +If you have customized their values instead of using the `custom` prefixed settings, please ensure that you remove the `enabled` property from each of them. + +In case you want to disable one of these probes, let's say the `livenessProbe`, add the following to your values. +The `podAnnotation` is just there to have a bit more context. + +```diff +gitea: ++ livenessProbe: + podAnnotations: {} +``` + +### Multiple OAuth and LDAP authentication sources + +With `5.0.0` of this Chart it is now possible to configure Gitea with multiple OAuth and LDAP sources. +As a result, you need to update an existing OAuth/LDAP configuration in your customized `values.yaml` by replacing the object with settings to a list +of settings objects. +See [OAuth2 Settings](#oauth2-settings) and [LDAP Settings](#ldap-settings) section for details. + +
+ +
+ +To 4.0.0 + +### Ingress changes + +To provide a more flexible Ingress configuration we now support not only host settings but also provide configuration for the path and pathType. +So this change changes the hosts from a simple string list, to a list containing a more complex object for more configuration. + +```diff +ingress: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" +- hosts: +- - git.example.com ++ hosts: ++ - host: git.example.com ++ paths: ++ - path: / ++ pathType: Prefix + tls: [] + # - secretName: chart-example-tls + # hosts: + # - git.example.com +``` + +If you want everything as it was before, you can simply add the following code to all your host entries. + +```yaml +paths: + - path: / + pathType: Prefix +``` + +### Dropped kebab-case support + +In 3.x.x it was possible to provide an ldap configuration via kebab-case, this support has now been dropped and only camel case is supported. +See [LDAP section](#ldap-settings) for more information. + +### Dependency update + +The chart comes with multiple databases and Memcached as dependency, the latest release updated the dependencies. + +- Memcached: `4.2.20` -> `5.9.0` +- PostgreSQL: `9.7.2` -> `10.3.17` +- MariaDB: `8.0.0` -> `9.3.6` + +If you're using the builtin databases you will most likely redeploy the chart in order to update the database correctly. + +### Execution of initPreScript + +Generally spoken, this might not be a breaking change, but it is worth to be mentioned. + +Prior to `4.0.0` only one init container was used to both setup directories and configure Gitea. +As of now the actual Gitea configuration is separated from the other pre-execution. +This also includes the execution of _initPreScript_. +If you have such script, please be aware of this. +Dynamically prepare the Gitea setup during execution by e.g. adding environment variables to the execution context won't work anymore. + +### Gitea Version 1.14.X repository ROOT + +Previously the ROOT folder for the Gitea repositories was located at `/data/git/gitea-repositories`. +In version `1.14` has the path been changed to `/data/gitea-repositories`. + +This chart will set the `gitea.config.repository.ROOT` value default to `/data/git/gitea-repositories`. + +
diff --git a/charts/helm-gitea/docs/ha-setup.md b/charts/helm-gitea/docs/ha-setup.md new file mode 100644 index 0000000..99b87e6 --- /dev/null +++ b/charts/helm-gitea/docs/ha-setup.md @@ -0,0 +1,178 @@ +# High Availability + +All components (in-memory DB, volume/asset storage, code indexer) used by Gitea must be deployed in a HA-ready fashion to achieve a full HA-ready Gitea deployment. +The following document explains how to achieve this for all individual components. + +The resulting Gitea deployment will consist of ~ 10 pods (depending on the chosen components and their replicas). +One should evaluate upfront whether a HA-deployment is required as switching between HA/non-HA comes with some effort. +For production instances, HA is always recommended to increase uptime and have a frictionless update process. + +A general comment about chart dependencies and external services: +Instead of relying on chart dependencies, it is often better to rely on an external, (managed) instances (in-memory database, asset storage provider, database, etc.). +Many cloud providers offer such services, at least for databases or in-memory databases. +They might cost a bit more than using a self-hosted k8s variant but are usually easier to maintain and scale, if needed. +Also they can be centrally managed and are not linked to the Gitea helm chart or namespace. +Please consider using external services before you start with your Gitea HA setup, it will make your life (and the life of the Gitea maintainers) easier. + +This helm chart tries to help as much as possible to simplify and assert the provisioning of a HA-ready Gitea instance by implementing smart conditionals if `replicaCount` is set to a value > 1. +Nevertheless, we cannot guarantee for every possible combination of Gitea settings to work together perfectly in a HA setup. +As a general advice, we recommend to have a test environment aside on which to test possible changes/upgrades before applying these to a production installation. + +## Requirements for HA + +Storage-wise, the HA-Gitea setup requires a RWX file-system which can be shared among the deployment-based replica pods. +In addition, the following components are required for full HA-readiness: + +- A HA-ready issue (and optionally code) indexer: `elasticsearch` or `meilisearch` +- A HA-ready external object/asset storage (`minio`) (optional, assets can also be stored on the RWX file-system) +- A HA-ready cache (`valkey-cluster`) +- A HA-ready DB + +`postgres.enabled`, which default to `true`, must be set to `false` for a HA setup. +The default `postgres` chart dependency is not HA-ready (there's a dedicated `postgres-ha` chart). + +The following sections discuss each of the components in more detail. +Note that for each component discussed, the shown configurations only provides a (working) starting point, not necessarily the most optimal setup. +We try to optimize this document over time as we have gained more experience with HA setups from users. + +## Indexers (Issues and code/repo) + +The default code indexer `bleve` is not able to allow multiple connections and hence cannot be used in a HA setup. +Alternatives are `elasticsearch` and `meilisearch` (as of >= 1.19.2). +Unless you have an existing `elasticsearch` cluster, we recommend using `meilisearch` as it is faster and requires way less resources. + +Unfortunately, `meilisearch` does only support the `ISSUE_INDEXER` and not the `REPO_INDEXER` yet ([tracking issue](https://github.com/go-gitea/gitea/pull/24149)). +This means that the `REPO_INDEXER` must still be disabled for a HA setup right now. +An alternative to the two options above for the `ISSUE_INDEXER` is `"db"`, however we recommend to just go with `meilisearch` in this case and to not bother the DB with indexing. + +To configure `meilisearch` within Gitea, do the following: + +```yml +gitea: + config: + indexer: + ISSUE_INDEXER_CONN_STR: .svc.cluster.local:7700> + ISSUE_INDEXER_ENABLED: true + ISSUE_INDEXER_TYPE: meilisearch + REPO_INDEXER_ENABLED: false + # REPO_INDEXER_TYPE: meilisearch # not yet working +``` + +Unfortunately `meilisearch` cannot be deployed in HA as of now. +Nevertheless it allows for multiple Gitea requests at the same time and is therefore required in a HA setup. + +Exemplary configuration for the [meilisearch-kubernetes](https://github.com/meilisearch/meilisearch-kubernetes/tree/main/charts/meilisearch) chart: + +```yaml +persistence: + enabled: true + accessMode: ReadWriteOnce + size: 5Gi +``` + +## Cache, session and queue + +A `valkey` instance is required for the in-memory cache. +Two options exist: + +- `valkey` +- `valkey-cluster` + +The chart provides `valkey-cluster` as a dependency as this one can be used for both HA and non-HA setups. +You're also welcome to go with `valkey` if you prefer or already have a running instance. + +It should be noted that `valkey-cluster` support is only available starting with Gitea 1.19.2. +You can also configure an external (managed) `valkey` instance to be used. +To do so, you need to set the following configuration values yourself: + +- `gitea.config.queue.TYPE`: valkey` +- `gitea.config.queue.CONN_STR`: `` + +- `gitea.config.session.PROVIDER`: `valkey` +- `gitea.config.session.PROVIDER_CONFIG`: `` + +- `gitea.config.cache.ENABLED`: `true` +- `gitea.config.cache.ADAPTER`: `valkey` +- `gitea.config.cache.HOST`: `` + +By default, the `valkey-cluster` chart provisions three standalone master nodes of which each has a single replica. +To reduce the number of pods for a default Gitea deployment, we opted to omit the replicas (`replicas: 0`) by default. +Only the minimum required number of master pods for a functional `valkey-cluster` deployment are provisioned. +For a "proper" `valkey-cluster` setup however, we recommend to set `replicas: 1` and `nodes: 6`. + +## Object and asset storage + +Object/asset storage refers to the storage of attachments, avatars, LFS files, etc. +While most of these can be stored on the RWX file-system, it is recommended to use an external S3-compatible object storage for such, mainly for performance reasons. + +By default the chart provisions a single RWO volume to store everything (repos, avatars, packages, etc.). +This volume cannot be mounted by multiple pods. +Hence, a RWX volume is required and (optionally) an external HA-ready object storage. + +> **Note:** Double-check that the file permissions are set correctly on the RWX volume! That is everything should be owned by the `git` user which usually has `uid=1000` and `gid=1000`. + +To use `minio` you need to deploy and configure an external `minio` instance yourself and explicitly define the `STORAGE_TYPE` values as shown below. + +Note that `MINIO_BUCKET` here is just a name and does not refer to a S3 bucket. +It's the root access point for all objects belonging to the respective application, i.e., to Gitea in this case. + +```yaml +gitea: + config: + attachment: + STORAGE_TYPE: minio + lfs: + STORAGE_TYPE: minio + picture: + AVATAR_STORAGE_TYPE: minio + "storage.packages": + STORAGE_TYPE: minio + + storage: + MINIO_ENDPOINT: .svc.cluster.local:9000> + MINIO_LOCATION: + MINIO_ACCESS_KEY_ID: + MINIO_SECRET_ACCESS_KEY: + MINIO_BUCKET: + MINIO_USE_SSL: false +``` + +Exemplary configuration for the [bitnami minio](https://github.com/bitnami/charts/blob/main/bitnami/minio) chart: + +```yaml +auth: + rootUser: minio +mode: distributed +replicaCount: 4 +persistence: + enabled: true + size: 20Gi + accessModes: + - ReadWriteOnce +``` + +## Database + +If you do not have an HA-ready DB, using a managed database service in the cloud might be the easiest and most robust solution. +Remember: disable the built-in `postgres` dependency and configure the database connection manually via `gitea.config.database`: + +```yml +gitea: + database: + builtIn: + postgresql: + enabled: false + config: + database: + DB_TYPE: postgres + HOST: + NAME: + USER: +``` + +## Known issues + +- Currently Cron jobs are run on all replicas as no leader election is implemented. + See [https://github.com/go-gitea/gitea/issues/13791](https://github.com/go-gitea/gitea/issues/13791) for a discussion and possible solution. + +- Running with multiple replicas slows down Gitea a bit, i.e. page loading time increases. \ No newline at end of file diff --git a/charts/helm-gitea/package-lock.json b/charts/helm-gitea/package-lock.json new file mode 100644 index 0000000..43f456b --- /dev/null +++ b/charts/helm-gitea/package-lock.json @@ -0,0 +1,1663 @@ +{ + "name": "gitea-helm", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "name": "gitea-helm", + "license": "MIT", + "devDependencies": { + "@bitnami/readme-generator-for-helm": "^2.5.0", + "markdownlint-cli": "^0.44.0" + }, + "engines": { + "node": ">=16.0.0", + "npm": ">=8.0.0" + } + }, + "node_modules/@bitnami/readme-generator-for-helm": { + "version": "2.7.0", + "resolved": "https://registry.npmjs.org/@bitnami/readme-generator-for-helm/-/readme-generator-for-helm-2.7.0.tgz", + "integrity": "sha512-fVxExmcuJ9NZb9ZE9OW3+lG8pUlXJAJdaO8UukV3A7WzYu4qOTr03MXPH9Gt5e/6mo3x4WYI/cXBksKfS0qn3w==", + "dev": true, + "license": "Apache-2.0", + "dependencies": { + "commander": "^13.1.0", + "dot-object": "^2.1.5", + "lodash": "^4.17.21", + "markdown-table": "^2.0.0", + "yaml": "^2.7.0" + }, + "bin": { + "readme-generator": "bin/index.js" + } + }, + "node_modules/@isaacs/cliui": { + "version": "8.0.2", + "resolved": "https://registry.npmjs.org/@isaacs/cliui/-/cliui-8.0.2.tgz", + "integrity": "sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==", + "dev": true, + "dependencies": { + "string-width": "^5.1.2", + "string-width-cjs": "npm:string-width@^4.2.0", + "strip-ansi": "^7.0.1", + "strip-ansi-cjs": "npm:strip-ansi@^6.0.1", + "wrap-ansi": "^8.1.0", + "wrap-ansi-cjs": "npm:wrap-ansi@^7.0.0" + }, + "engines": { + "node": ">=12" + } + }, + "node_modules/@pkgjs/parseargs": { + "version": "0.11.0", + "resolved": "https://registry.npmjs.org/@pkgjs/parseargs/-/parseargs-0.11.0.tgz", + "integrity": "sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==", + "dev": true, + "license": "MIT", + "optional": true, + "engines": { + "node": ">=14" + } + }, + "node_modules/@types/debug": { + "version": "4.1.12", + "resolved": "https://registry.npmjs.org/@types/debug/-/debug-4.1.12.tgz", + "integrity": "sha512-vIChWdVG3LG1SMxEvI/AK+FWJthlrqlTu7fbrlywTkkaONwk/UAGaULXRlf8vkzFBLVm0zkMdCquhL5aOjhXPQ==", + "dev": true, + "license": "MIT", + "dependencies": { + "@types/ms": "*" + } + }, + "node_modules/@types/katex": { + "version": "0.16.7", + "resolved": "https://registry.npmjs.org/@types/katex/-/katex-0.16.7.tgz", + "integrity": "sha512-HMwFiRujE5PjrgwHQ25+bsLJgowjGjm5Z8FVSf0N6PwgJrwxH0QxzHYDcKsTfV3wva0vzrpqMTJS2jXPr5BMEQ==", + "dev": true, + "license": "MIT" + }, + "node_modules/@types/ms": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/@types/ms/-/ms-2.1.0.tgz", + "integrity": "sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA==", + "dev": true, + "license": "MIT" + }, + "node_modules/@types/unist": { + "version": "2.0.11", + "resolved": "https://registry.npmjs.org/@types/unist/-/unist-2.0.11.tgz", + "integrity": "sha512-CmBKiL6NNo/OqgmMn95Fk9Whlp2mtvIv+KNpQKN2F4SjvrEesubTRWGYSg+BnWZOnlCaSTU1sMpsBOzgbYhnsA==", + "dev": true, + "license": "MIT" + }, + "node_modules/ansi-regex": { + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.0.1.tgz", + "integrity": "sha512-n5M855fKb2SsfMIiFFoVrABHJC8QtHwVx+mHWP3QcEqBHYienj5dHSgjbxtC0WEZXYt4wcD6zrQElDPhFuZgfA==", + "dev": true, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/ansi-regex?sponsor=1" + } + }, + "node_modules/ansi-styles": { + "version": "6.2.1", + "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-6.2.1.tgz", + "integrity": "sha512-bN798gFfQX+viw3R7yrGWRqnrN2oRkEkUjjl4JNn4E8GxxbjtG3FbrEIIY3l8/hrwUwIeCZvi4QuOTP4MErVug==", + "dev": true, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/ansi-styles?sponsor=1" + } + }, + "node_modules/argparse": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz", + "integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==", + "dev": true + }, + "node_modules/balanced-match": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", + "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==", + "dev": true + }, + "node_modules/brace-expansion": { + "version": "1.1.11", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", + "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==", + "dev": true, + "dependencies": { + "balanced-match": "^1.0.0", + "concat-map": "0.0.1" + } + }, + "node_modules/character-entities": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/character-entities/-/character-entities-2.0.2.tgz", + "integrity": "sha512-shx7oQ0Awen/BRIdkjkvz54PnEEI/EjwXDSIZp86/KKdbafHh1Df/RYGBhn4hbe2+uKC9FnT5UCEdyPz3ai9hQ==", + "dev": true, + "license": "MIT", + "funding": { + "type": "github", + "url": "https://github.com/sponsors/wooorm" + } + }, + "node_modules/character-entities-legacy": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/character-entities-legacy/-/character-entities-legacy-3.0.0.tgz", + "integrity": "sha512-RpPp0asT/6ufRm//AJVwpViZbGM/MkjQFxJccQRHmISF/22NBtsHqAWmL+/pmkPWoIUJdWyeVleTl1wydHATVQ==", + "dev": true, + "license": "MIT", + "funding": { + "type": "github", + "url": "https://github.com/sponsors/wooorm" + } + }, + "node_modules/character-reference-invalid": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/character-reference-invalid/-/character-reference-invalid-2.0.1.tgz", + "integrity": "sha512-iBZ4F4wRbyORVsu0jPV7gXkOsGYjGHPmAyv+HiHG8gi5PtC9KI2j1+v8/tlibRvjoWX027ypmG/n0HtO5t7unw==", + "dev": true, + "license": "MIT", + "funding": { + "type": "github", + "url": "https://github.com/sponsors/wooorm" + } + }, + "node_modules/color-convert": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz", + "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==", + "dev": true, + "dependencies": { + "color-name": "~1.1.4" + }, + "engines": { + "node": ">=7.0.0" + } + }, + "node_modules/color-name": { + "version": "1.1.4", + "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz", + "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==", + "dev": true + }, + "node_modules/commander": { + "version": "13.1.0", + "resolved": "https://registry.npmjs.org/commander/-/commander-13.1.0.tgz", + "integrity": "sha512-/rFeCpNJQbhSZjGVwO9RFV3xPqbnERS8MmIQzCtD/zl6gpJuV/bMLuN92oG3F7d8oDEHHRrujSXNUr8fpjntKw==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=18" + } + }, + "node_modules/concat-map": { + "version": "0.0.1", + "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", + "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==", + "dev": true + }, + "node_modules/cross-spawn": { + "version": "7.0.3", + "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz", + "integrity": "sha512-iRDPJKUPVEND7dHPO8rkbOnPpyDygcDFtWjpeWNCgy8WP2rXcxXL8TskReQl6OrB2G7+UJrags1q15Fudc7G6w==", + "dev": true, + "dependencies": { + "path-key": "^3.1.0", + "shebang-command": "^2.0.0", + "which": "^2.0.1" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/debug": { + "version": "4.4.0", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.0.tgz", + "integrity": "sha512-6WTZ/IxCY/T6BALoZHaE4ctp9xm+Z5kY/pzYaCHRFeyVhojxlrm+46y68HA6hr0TcwEssoxNiDEUJQjfPZ/RYA==", + "dev": true, + "license": "MIT", + "dependencies": { + "ms": "^2.1.3" + }, + "engines": { + "node": ">=6.0" + }, + "peerDependenciesMeta": { + "supports-color": { + "optional": true + } + } + }, + "node_modules/decode-named-character-reference": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/decode-named-character-reference/-/decode-named-character-reference-1.0.2.tgz", + "integrity": "sha512-O8x12RzrUF8xyVcY0KJowWsmaJxQbmy0/EtnNtHRpsOcT7dFk5W598coHqBVpmWo1oQQfsCqfCmkZN5DJrZVdg==", + "dev": true, + "license": "MIT", + "dependencies": { + "character-entities": "^2.0.0" + }, + "funding": { + "type": "github", + "url": "https://github.com/sponsors/wooorm" + } + }, + "node_modules/deep-extend": { + "version": "0.6.0", + "resolved": "https://registry.npmjs.org/deep-extend/-/deep-extend-0.6.0.tgz", + "integrity": "sha512-LOHxIOaPYdHlJRtCQfDIVZtfw/ufM8+rVj649RIHzcm/vGwQRXFt6OPqIFWsm2XEMrNIEtWR64sY1LEKD2vAOA==", + "dev": true, + "engines": { + "node": ">=4.0.0" + } + }, + "node_modules/dequal": { + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/dequal/-/dequal-2.0.3.tgz", + "integrity": "sha512-0je+qPKHEMohvfRTCEo3CrPG6cAzAYgmzKyxRiYSSDkS6eGJdyVJm7WaYA5ECaAD9wLB2T4EEeymA5aFVcYXCA==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=6" + } + }, + "node_modules/devlop": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/devlop/-/devlop-1.1.0.tgz", + "integrity": "sha512-RWmIqhcFf1lRYBvNmr7qTNuyCt/7/ns2jbpp1+PalgE/rDQcBT0fioSMUpJ93irlUhC5hrg4cYqe6U+0ImW0rA==", + "dev": true, + "license": "MIT", + "dependencies": { + "dequal": "^2.0.0" + }, + "funding": { + "type": "github", + "url": "https://github.com/sponsors/wooorm" + } + }, + "node_modules/dot-object": { + "version": "2.1.5", + "resolved": "https://registry.npmjs.org/dot-object/-/dot-object-2.1.5.tgz", + "integrity": "sha512-xHF8EP4XH/Ba9fvAF2LDd5O3IITVolerVV6xvkxoM8zlGEiCUrggpAnHyOoKJKCrhvPcGATFAUwIujj7bRG5UA==", + "dev": true, + "license": "MIT", + "dependencies": { + "commander": "^6.1.0", + "glob": "^7.1.6" + }, + "bin": { + "dot-object": "bin/dot-object" + } + }, + "node_modules/dot-object/node_modules/commander": { + "version": "6.2.1", + "resolved": "https://registry.npmjs.org/commander/-/commander-6.2.1.tgz", + "integrity": "sha512-U7VdrJFnJgo4xjrHpTzu0yrHPGImdsmD95ZlgYSEajAn2JKzDhDTPG9kBTefmObL2w/ngeZnilk+OV9CG3d7UA==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">= 6" + } + }, + "node_modules/eastasianwidth": { + "version": "0.2.0", + "resolved": "https://registry.npmjs.org/eastasianwidth/-/eastasianwidth-0.2.0.tgz", + "integrity": "sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==", + "dev": true + }, + "node_modules/emoji-regex": { + "version": "9.2.2", + "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-9.2.2.tgz", + "integrity": "sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg==", + "dev": true + }, + "node_modules/entities": { + "version": "4.5.0", + "resolved": "https://registry.npmjs.org/entities/-/entities-4.5.0.tgz", + "integrity": "sha512-V0hjH4dGPh9Ao5p0MoRY6BVqtwCjhz6vI5LT8AJ55H+4g9/4vbHx1I54fS0XuclLhDHArPQCiMjDxjaL8fPxhw==", + "dev": true, + "engines": { + "node": ">=0.12" + }, + "funding": { + "url": "https://github.com/fb55/entities?sponsor=1" + } + }, + "node_modules/foreground-child": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/foreground-child/-/foreground-child-3.1.1.tgz", + "integrity": "sha512-TMKDUnIte6bfb5nWv7V/caI169OHgvwjb7V4WkeUvbQQdjr5rWKqHFiKWb/fcOwB+CzBT+qbWjvj+DVwRskpIg==", + "dev": true, + "dependencies": { + "cross-spawn": "^7.0.0", + "signal-exit": "^4.0.1" + }, + "engines": { + "node": ">=14" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/fs.realpath": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", + "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==", + "dev": true + }, + "node_modules/glob": { + "version": "7.2.3", + "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", + "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==", + "dev": true, + "dependencies": { + "fs.realpath": "^1.0.0", + "inflight": "^1.0.4", + "inherits": "2", + "minimatch": "^3.1.1", + "once": "^1.3.0", + "path-is-absolute": "^1.0.0" + }, + "engines": { + "node": "*" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/ignore": { + "version": "7.0.3", + "resolved": "https://registry.npmjs.org/ignore/-/ignore-7.0.3.tgz", + "integrity": "sha512-bAH5jbK/F3T3Jls4I0SO1hmPR0dKU0a7+SY6n1yzRtG54FLO8d6w/nxLFX2Nb7dBu6cCWXPaAME6cYqFUMmuCA==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">= 4" + } + }, + "node_modules/inflight": { + "version": "1.0.6", + "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz", + "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==", + "dev": true, + "dependencies": { + "once": "^1.3.0", + "wrappy": "1" + } + }, + "node_modules/inherits": { + "version": "2.0.4", + "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", + "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==", + "dev": true + }, + "node_modules/ini": { + "version": "4.1.1", + "resolved": "https://registry.npmjs.org/ini/-/ini-4.1.1.tgz", + "integrity": "sha512-QQnnxNyfvmHFIsj7gkPcYymR8Jdw/o7mp5ZFihxn6h8Ci6fh3Dx4E1gPjpQEpIuPo9XVNY/ZUwh4BPMjGyL01g==", + "dev": true, + "engines": { + "node": "^14.17.0 || ^16.13.0 || >=18.0.0" + } + }, + "node_modules/is-alphabetical": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/is-alphabetical/-/is-alphabetical-2.0.1.tgz", + "integrity": "sha512-FWyyY60MeTNyeSRpkM2Iry0G9hpr7/9kD40mD/cGQEuilcZYS4okz8SN2Q6rLCJ8gbCt6fN+rC+6tMGS99LaxQ==", + "dev": true, + "license": "MIT", + "funding": { + "type": "github", + "url": "https://github.com/sponsors/wooorm" + } + }, + "node_modules/is-alphanumerical": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/is-alphanumerical/-/is-alphanumerical-2.0.1.tgz", + "integrity": "sha512-hmbYhX/9MUMF5uh7tOXyK/n0ZvWpad5caBA17GsC6vyuCqaWliRG5K1qS9inmUhEMaOBIW7/whAnSwveW/LtZw==", + "dev": true, + "license": "MIT", + "dependencies": { + "is-alphabetical": "^2.0.0", + "is-decimal": "^2.0.0" + }, + "funding": { + "type": "github", + "url": "https://github.com/sponsors/wooorm" + } + }, + "node_modules/is-decimal": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/is-decimal/-/is-decimal-2.0.1.tgz", + "integrity": "sha512-AAB9hiomQs5DXWcRB1rqsxGUstbRroFOPPVAomNk/3XHR5JyEZChOyTWe2oayKnsSsr/kcGqF+z6yuH6HHpN0A==", + "dev": true, + "license": "MIT", + "funding": { + "type": "github", + "url": "https://github.com/sponsors/wooorm" + } + }, + "node_modules/is-fullwidth-code-point": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", + "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/is-hexadecimal": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/is-hexadecimal/-/is-hexadecimal-2.0.1.tgz", + "integrity": "sha512-DgZQp241c8oO6cA1SbTEWiXeoxV42vlcJxgH+B3hi1AiqqKruZR3ZGF8In3fj4+/y/7rHvlOZLZtgJ/4ttYGZg==", + "dev": true, + "license": "MIT", + "funding": { + "type": "github", + "url": "https://github.com/sponsors/wooorm" + } + }, + "node_modules/isexe": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz", + "integrity": "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==", + "dev": true + }, + "node_modules/js-yaml": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz", + "integrity": "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==", + "dev": true, + "dependencies": { + "argparse": "^2.0.1" + }, + "bin": { + "js-yaml": "bin/js-yaml.js" + } + }, + "node_modules/jsonc-parser": { + "version": "3.3.1", + "resolved": "https://registry.npmjs.org/jsonc-parser/-/jsonc-parser-3.3.1.tgz", + "integrity": "sha512-HUgH65KyejrUFPvHFPbqOY0rsFip3Bo5wb4ngvdi1EpCYWUQDC5V+Y7mZws+DLkr4M//zQJoanu1SP+87Dv1oQ==", + "dev": true, + "license": "MIT" + }, + "node_modules/jsonpointer": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/jsonpointer/-/jsonpointer-5.0.1.tgz", + "integrity": "sha512-p/nXbhSEcu3pZRdkW1OfJhpsVtW1gd4Wa1fnQc9YLiTfAjn0312eMKimbdIQzuZl9aa9xUGaRlP9T/CJE/ditQ==", + "dev": true, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/katex": { + "version": "0.16.21", + "resolved": "https://registry.npmjs.org/katex/-/katex-0.16.21.tgz", + "integrity": "sha512-XvqR7FgOHtWupfMiigNzmh+MgUVmDGU2kXZm899ZkPfcuoPuFxyHmXsgATDpFZDAXCI8tvinaVcDo8PIIJSo4A==", + "dev": true, + "funding": [ + "https://opencollective.com/katex", + "https://github.com/sponsors/katex" + ], + "license": "MIT", + "dependencies": { + "commander": "^8.3.0" + }, + "bin": { + "katex": "cli.js" + } + }, + "node_modules/katex/node_modules/commander": { + "version": "8.3.0", + "resolved": "https://registry.npmjs.org/commander/-/commander-8.3.0.tgz", + "integrity": "sha512-OkTL9umf+He2DZkUq8f8J9of7yL6RJKI24dVITBmNfZBmri9zYZQrKkuXiKhyfPSu8tUhnVBB1iKXevvnlR4Ww==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">= 12" + } + }, + "node_modules/linkify-it": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/linkify-it/-/linkify-it-5.0.0.tgz", + "integrity": "sha512-5aHCbzQRADcdP+ATqnDuhhJ/MRIqDkZX5pyjFHRRysS8vZ5AbqGEoFIb6pYHPZ+L/OC2Lc+xT8uHVVR5CAK/wQ==", + "dev": true, + "dependencies": { + "uc.micro": "^2.0.0" + } + }, + "node_modules/lodash": { + "version": "4.17.21", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", + "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==", + "dev": true + }, + "node_modules/markdown-it": { + "version": "14.1.0", + "resolved": "https://registry.npmjs.org/markdown-it/-/markdown-it-14.1.0.tgz", + "integrity": "sha512-a54IwgWPaeBCAAsv13YgmALOF1elABB08FxO9i+r4VFk5Vl4pKokRPeX8u5TCgSsPi6ec1otfLjdOpVcgbpshg==", + "dev": true, + "dependencies": { + "argparse": "^2.0.1", + "entities": "^4.4.0", + "linkify-it": "^5.0.0", + "mdurl": "^2.0.0", + "punycode.js": "^2.3.1", + "uc.micro": "^2.1.0" + }, + "bin": { + "markdown-it": "bin/markdown-it.mjs" + } + }, + "node_modules/markdown-table": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/markdown-table/-/markdown-table-2.0.0.tgz", + "integrity": "sha512-Ezda85ToJUBhM6WGaG6veasyym+Tbs3cMAw/ZhOPqXiYsr0jgocBV3j3nx+4lk47plLlIqjwuTm/ywVI+zjJ/A==", + "dev": true, + "dependencies": { + "repeat-string": "^1.0.0" + }, + "funding": { + "type": "github", + "url": "https://github.com/sponsors/wooorm" + } + }, + "node_modules/markdownlint": { + "version": "0.37.4", + "resolved": "https://registry.npmjs.org/markdownlint/-/markdownlint-0.37.4.tgz", + "integrity": "sha512-u00joA/syf3VhWh6/ybVFkib5Zpj2e5KB/cfCei8fkSRuums6nyisTWGqjTWIOFoFwuXoTBQQiqlB4qFKp8ncQ==", + "dev": true, + "license": "MIT", + "dependencies": { + "markdown-it": "14.1.0", + "micromark": "4.0.1", + "micromark-core-commonmark": "2.0.2", + "micromark-extension-directive": "3.0.2", + "micromark-extension-gfm-autolink-literal": "2.1.0", + "micromark-extension-gfm-footnote": "2.1.0", + "micromark-extension-gfm-table": "2.1.0", + "micromark-extension-math": "3.1.0", + "micromark-util-types": "2.0.1" + }, + "engines": { + "node": ">=18" + }, + "funding": { + "url": "https://github.com/sponsors/DavidAnson" + } + }, + "node_modules/markdownlint-cli": { + "version": "0.44.0", + "resolved": "https://registry.npmjs.org/markdownlint-cli/-/markdownlint-cli-0.44.0.tgz", + "integrity": "sha512-ZJTAONlvF9NkrIBltCdW15DxN9UTbPiKMEqAh2EU2gwIFlrCMavyCEPPO121cqfYOrLUJWW8/XKWongstmmTeQ==", + "dev": true, + "license": "MIT", + "dependencies": { + "commander": "~13.1.0", + "glob": "~10.4.5", + "ignore": "~7.0.3", + "js-yaml": "~4.1.0", + "jsonc-parser": "~3.3.1", + "jsonpointer": "~5.0.1", + "markdownlint": "~0.37.4", + "minimatch": "~9.0.5", + "run-con": "~1.3.2", + "smol-toml": "~1.3.1" + }, + "bin": { + "markdownlint": "markdownlint.js" + }, + "engines": { + "node": ">=18" + } + }, + "node_modules/markdownlint-cli/node_modules/brace-expansion": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz", + "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==", + "dev": true, + "license": "MIT", + "dependencies": { + "balanced-match": "^1.0.0" + } + }, + "node_modules/markdownlint-cli/node_modules/glob": { + "version": "10.4.5", + "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.5.tgz", + "integrity": "sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==", + "dev": true, + "license": "ISC", + "dependencies": { + "foreground-child": "^3.1.0", + "jackspeak": "^3.1.2", + "minimatch": "^9.0.4", + "minipass": "^7.1.2", + "package-json-from-dist": "^1.0.0", + "path-scurry": "^1.11.1" + }, + "bin": { + "glob": "dist/esm/bin.mjs" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/markdownlint-cli/node_modules/jackspeak": { + "version": "3.4.3", + "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.4.3.tgz", + "integrity": "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==", + "dev": true, + "license": "BlueOak-1.0.0", + "dependencies": { + "@isaacs/cliui": "^8.0.2" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + }, + "optionalDependencies": { + "@pkgjs/parseargs": "^0.11.0" + } + }, + "node_modules/markdownlint-cli/node_modules/lru-cache": { + "version": "10.4.3", + "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.4.3.tgz", + "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==", + "dev": true, + "license": "ISC" + }, + "node_modules/markdownlint-cli/node_modules/minimatch": { + "version": "9.0.5", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz", + "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==", + "dev": true, + "license": "ISC", + "dependencies": { + "brace-expansion": "^2.0.1" + }, + "engines": { + "node": ">=16 || 14 >=14.17" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/markdownlint-cli/node_modules/path-scurry": { + "version": "1.11.1", + "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-1.11.1.tgz", + "integrity": "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA==", + "dev": true, + "license": "BlueOak-1.0.0", + "dependencies": { + "lru-cache": "^10.2.0", + "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0" + }, + "engines": { + "node": ">=16 || 14 >=14.18" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/mdurl": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/mdurl/-/mdurl-2.0.0.tgz", + "integrity": "sha512-Lf+9+2r+Tdp5wXDXC4PcIBjTDtq4UKjCPMQhKIuzpJNW0b96kVqSwW0bT7FhRSfmAiFYgP+SCRvdrDozfh0U5w==", + "dev": true + }, + "node_modules/micromark": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/micromark/-/micromark-4.0.1.tgz", + "integrity": "sha512-eBPdkcoCNvYcxQOAKAlceo5SNdzZWfF+FcSupREAzdAh9rRmE239CEQAiTwIgblwnoM8zzj35sZ5ZwvSEOF6Kw==", + "dev": true, + "funding": [ + { + "type": "GitHub Sponsors", + "url": "https://github.com/sponsors/unifiedjs" + }, + { + "type": "OpenCollective", + "url": "https://opencollective.com/unified" + } + ], + "license": "MIT", + "dependencies": { + "@types/debug": "^4.0.0", + "debug": "^4.0.0", + "decode-named-character-reference": "^1.0.0", + "devlop": "^1.0.0", + "micromark-core-commonmark": "^2.0.0", + "micromark-factory-space": "^2.0.0", + "micromark-util-character": "^2.0.0", + "micromark-util-chunked": "^2.0.0", + "micromark-util-combine-extensions": "^2.0.0", + "micromark-util-decode-numeric-character-reference": "^2.0.0", + "micromark-util-encode": "^2.0.0", + "micromark-util-normalize-identifier": "^2.0.0", + "micromark-util-resolve-all": "^2.0.0", + "micromark-util-sanitize-uri": "^2.0.0", + "micromark-util-subtokenize": "^2.0.0", + "micromark-util-symbol": "^2.0.0", + "micromark-util-types": "^2.0.0" + } + }, + "node_modules/micromark-core-commonmark": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/micromark-core-commonmark/-/micromark-core-commonmark-2.0.2.tgz", + "integrity": "sha512-FKjQKbxd1cibWMM1P9N+H8TwlgGgSkWZMmfuVucLCHaYqeSvJ0hFeHsIa65pA2nYbes0f8LDHPMrd9X7Ujxg9w==", + "dev": true, + "funding": [ + { + "type": "GitHub Sponsors", + "url": "https://github.com/sponsors/unifiedjs" + }, + { + "type": "OpenCollective", + "url": "https://opencollective.com/unified" + } + ], + "license": "MIT", + "dependencies": { + "decode-named-character-reference": "^1.0.0", + "devlop": "^1.0.0", + "micromark-factory-destination": "^2.0.0", + "micromark-factory-label": "^2.0.0", + "micromark-factory-space": "^2.0.0", + "micromark-factory-title": "^2.0.0", + "micromark-factory-whitespace": "^2.0.0", + "micromark-util-character": "^2.0.0", + "micromark-util-chunked": "^2.0.0", + "micromark-util-classify-character": "^2.0.0", + "micromark-util-html-tag-name": "^2.0.0", + "micromark-util-normalize-identifier": "^2.0.0", + "micromark-util-resolve-all": "^2.0.0", + "micromark-util-subtokenize": "^2.0.0", + "micromark-util-symbol": "^2.0.0", + "micromark-util-types": "^2.0.0" + } + }, + "node_modules/micromark-extension-directive": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/micromark-extension-directive/-/micromark-extension-directive-3.0.2.tgz", + "integrity": "sha512-wjcXHgk+PPdmvR58Le9d7zQYWy+vKEU9Se44p2CrCDPiLr2FMyiT4Fyb5UFKFC66wGB3kPlgD7q3TnoqPS7SZA==", + "dev": true, + "license": "MIT", + "dependencies": { + "devlop": "^1.0.0", + "micromark-factory-space": "^2.0.0", + "micromark-factory-whitespace": "^2.0.0", + "micromark-util-character": "^2.0.0", + "micromark-util-symbol": "^2.0.0", + "micromark-util-types": "^2.0.0", + "parse-entities": "^4.0.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/unified" + } + }, + "node_modules/micromark-extension-gfm-autolink-literal": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/micromark-extension-gfm-autolink-literal/-/micromark-extension-gfm-autolink-literal-2.1.0.tgz", + "integrity": "sha512-oOg7knzhicgQ3t4QCjCWgTmfNhvQbDDnJeVu9v81r7NltNCVmhPy1fJRX27pISafdjL+SVc4d3l48Gb6pbRypw==", + "dev": true, + "license": "MIT", + "dependencies": { + "micromark-util-character": "^2.0.0", + "micromark-util-sanitize-uri": "^2.0.0", + "micromark-util-symbol": "^2.0.0", + "micromark-util-types": "^2.0.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/unified" + } + }, + "node_modules/micromark-extension-gfm-footnote": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/micromark-extension-gfm-footnote/-/micromark-extension-gfm-footnote-2.1.0.tgz", + "integrity": "sha512-/yPhxI1ntnDNsiHtzLKYnE3vf9JZ6cAisqVDauhp4CEHxlb4uoOTxOCJ+9s51bIB8U1N1FJ1RXOKTIlD5B/gqw==", + "dev": true, + "license": "MIT", + "dependencies": { + "devlop": "^1.0.0", + "micromark-core-commonmark": "^2.0.0", + "micromark-factory-space": "^2.0.0", + "micromark-util-character": "^2.0.0", + "micromark-util-normalize-identifier": "^2.0.0", + "micromark-util-sanitize-uri": "^2.0.0", + "micromark-util-symbol": "^2.0.0", + "micromark-util-types": "^2.0.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/unified" + } + }, + "node_modules/micromark-extension-gfm-table": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/micromark-extension-gfm-table/-/micromark-extension-gfm-table-2.1.0.tgz", + "integrity": "sha512-Ub2ncQv+fwD70/l4ou27b4YzfNaCJOvyX4HxXU15m7mpYY+rjuWzsLIPZHJL253Z643RpbcP1oeIJlQ/SKW67g==", + "dev": true, + "license": "MIT", + "dependencies": { + "devlop": "^1.0.0", + "micromark-factory-space": "^2.0.0", + "micromark-util-character": "^2.0.0", + "micromark-util-symbol": "^2.0.0", + "micromark-util-types": "^2.0.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/unified" + } + }, + "node_modules/micromark-extension-math": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/micromark-extension-math/-/micromark-extension-math-3.1.0.tgz", + "integrity": "sha512-lvEqd+fHjATVs+2v/8kg9i5Q0AP2k85H0WUOwpIVvUML8BapsMvh1XAogmQjOCsLpoKRCVQqEkQBB3NhVBcsOg==", + "dev": true, + "license": "MIT", + "dependencies": { + "@types/katex": "^0.16.0", + "devlop": "^1.0.0", + "katex": "^0.16.0", + "micromark-factory-space": "^2.0.0", + "micromark-util-character": "^2.0.0", + "micromark-util-symbol": "^2.0.0", + "micromark-util-types": "^2.0.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/unified" + } + }, + "node_modules/micromark-factory-destination": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/micromark-factory-destination/-/micromark-factory-destination-2.0.1.tgz", + "integrity": "sha512-Xe6rDdJlkmbFRExpTOmRj9N3MaWmbAgdpSrBQvCFqhezUn4AHqJHbaEnfbVYYiexVSs//tqOdY/DxhjdCiJnIA==", + "dev": true, + "funding": [ + { + "type": "GitHub Sponsors", + "url": "https://github.com/sponsors/unifiedjs" + }, + { + "type": "OpenCollective", + "url": "https://opencollective.com/unified" + } + ], + "license": "MIT", + "dependencies": { + "micromark-util-character": "^2.0.0", + "micromark-util-symbol": "^2.0.0", + "micromark-util-types": "^2.0.0" + } + }, + "node_modules/micromark-factory-label": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/micromark-factory-label/-/micromark-factory-label-2.0.1.tgz", + "integrity": "sha512-VFMekyQExqIW7xIChcXn4ok29YE3rnuyveW3wZQWWqF4Nv9Wk5rgJ99KzPvHjkmPXF93FXIbBp6YdW3t71/7Vg==", + "dev": true, + "funding": [ + { + "type": "GitHub Sponsors", + "url": "https://github.com/sponsors/unifiedjs" + }, + { + "type": "OpenCollective", + "url": "https://opencollective.com/unified" + } + ], + "license": "MIT", + "dependencies": { + "devlop": "^1.0.0", + "micromark-util-character": "^2.0.0", + "micromark-util-symbol": "^2.0.0", + "micromark-util-types": "^2.0.0" + } + }, + "node_modules/micromark-factory-space": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/micromark-factory-space/-/micromark-factory-space-2.0.1.tgz", + "integrity": "sha512-zRkxjtBxxLd2Sc0d+fbnEunsTj46SWXgXciZmHq0kDYGnck/ZSGj9/wULTV95uoeYiK5hRXP2mJ98Uo4cq/LQg==", + "dev": true, + "funding": [ + { + "type": "GitHub Sponsors", + "url": "https://github.com/sponsors/unifiedjs" + }, + { + "type": "OpenCollective", + "url": "https://opencollective.com/unified" + } + ], + "license": "MIT", + "dependencies": { + "micromark-util-character": "^2.0.0", + "micromark-util-types": "^2.0.0" + } + }, + "node_modules/micromark-factory-title": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/micromark-factory-title/-/micromark-factory-title-2.0.1.tgz", + "integrity": "sha512-5bZ+3CjhAd9eChYTHsjy6TGxpOFSKgKKJPJxr293jTbfry2KDoWkhBb6TcPVB4NmzaPhMs1Frm9AZH7OD4Cjzw==", + "dev": true, + "funding": [ + { + "type": "GitHub Sponsors", + "url": "https://github.com/sponsors/unifiedjs" + }, + { + "type": "OpenCollective", + "url": "https://opencollective.com/unified" + } + ], + "license": "MIT", + "dependencies": { + "micromark-factory-space": "^2.0.0", + "micromark-util-character": "^2.0.0", + "micromark-util-symbol": "^2.0.0", + "micromark-util-types": "^2.0.0" + } + }, + "node_modules/micromark-factory-whitespace": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/micromark-factory-whitespace/-/micromark-factory-whitespace-2.0.1.tgz", + "integrity": "sha512-Ob0nuZ3PKt/n0hORHyvoD9uZhr+Za8sFoP+OnMcnWK5lngSzALgQYKMr9RJVOWLqQYuyn6ulqGWSXdwf6F80lQ==", + "dev": true, + "funding": [ + { + "type": "GitHub Sponsors", + "url": "https://github.com/sponsors/unifiedjs" + }, + { + "type": "OpenCollective", + "url": "https://opencollective.com/unified" + } + ], + "license": "MIT", + "dependencies": { + "micromark-factory-space": "^2.0.0", + "micromark-util-character": "^2.0.0", + "micromark-util-symbol": "^2.0.0", + "micromark-util-types": "^2.0.0" + } + }, + "node_modules/micromark-util-character": { + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/micromark-util-character/-/micromark-util-character-2.1.1.tgz", + "integrity": "sha512-wv8tdUTJ3thSFFFJKtpYKOYiGP2+v96Hvk4Tu8KpCAsTMs6yi+nVmGh1syvSCsaxz45J6Jbw+9DD6g97+NV67Q==", + "dev": true, + "funding": [ + { + "type": "GitHub Sponsors", + "url": "https://github.com/sponsors/unifiedjs" + }, + { + "type": "OpenCollective", + "url": "https://opencollective.com/unified" + } + ], + "license": "MIT", + "dependencies": { + "micromark-util-symbol": "^2.0.0", + "micromark-util-types": "^2.0.0" + } + }, + "node_modules/micromark-util-chunked": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/micromark-util-chunked/-/micromark-util-chunked-2.0.1.tgz", + "integrity": "sha512-QUNFEOPELfmvv+4xiNg2sRYeS/P84pTW0TCgP5zc9FpXetHY0ab7SxKyAQCNCc1eK0459uoLI1y5oO5Vc1dbhA==", + "dev": true, + "funding": [ + { + "type": "GitHub Sponsors", + "url": "https://github.com/sponsors/unifiedjs" + }, + { + "type": "OpenCollective", + "url": "https://opencollective.com/unified" + } + ], + "license": "MIT", + "dependencies": { + "micromark-util-symbol": "^2.0.0" + } + }, + "node_modules/micromark-util-classify-character": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/micromark-util-classify-character/-/micromark-util-classify-character-2.0.1.tgz", + "integrity": "sha512-K0kHzM6afW/MbeWYWLjoHQv1sgg2Q9EccHEDzSkxiP/EaagNzCm7T/WMKZ3rjMbvIpvBiZgwR3dKMygtA4mG1Q==", + "dev": true, + "funding": [ + { + "type": "GitHub Sponsors", + "url": "https://github.com/sponsors/unifiedjs" + }, + { + "type": "OpenCollective", + "url": "https://opencollective.com/unified" + } + ], + "license": "MIT", + "dependencies": { + "micromark-util-character": "^2.0.0", + "micromark-util-symbol": "^2.0.0", + "micromark-util-types": "^2.0.0" + } + }, + "node_modules/micromark-util-combine-extensions": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/micromark-util-combine-extensions/-/micromark-util-combine-extensions-2.0.1.tgz", + "integrity": "sha512-OnAnH8Ujmy59JcyZw8JSbK9cGpdVY44NKgSM7E9Eh7DiLS2E9RNQf0dONaGDzEG9yjEl5hcqeIsj4hfRkLH/Bg==", + "dev": true, + "funding": [ + { + "type": "GitHub Sponsors", + "url": "https://github.com/sponsors/unifiedjs" + }, + { + "type": "OpenCollective", + "url": "https://opencollective.com/unified" + } + ], + "license": "MIT", + "dependencies": { + "micromark-util-chunked": "^2.0.0", + "micromark-util-types": "^2.0.0" + } + }, + "node_modules/micromark-util-decode-numeric-character-reference": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/micromark-util-decode-numeric-character-reference/-/micromark-util-decode-numeric-character-reference-2.0.2.tgz", + "integrity": "sha512-ccUbYk6CwVdkmCQMyr64dXz42EfHGkPQlBj5p7YVGzq8I7CtjXZJrubAYezf7Rp+bjPseiROqe7G6foFd+lEuw==", + "dev": true, + "funding": [ + { + "type": "GitHub Sponsors", + "url": "https://github.com/sponsors/unifiedjs" + }, + { + "type": "OpenCollective", + "url": "https://opencollective.com/unified" + } + ], + "license": "MIT", + "dependencies": { + "micromark-util-symbol": "^2.0.0" + } + }, + "node_modules/micromark-util-encode": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/micromark-util-encode/-/micromark-util-encode-2.0.1.tgz", + "integrity": "sha512-c3cVx2y4KqUnwopcO9b/SCdo2O67LwJJ/UyqGfbigahfegL9myoEFoDYZgkT7f36T0bLrM9hZTAaAyH+PCAXjw==", + "dev": true, + "funding": [ + { + "type": "GitHub Sponsors", + "url": "https://github.com/sponsors/unifiedjs" + }, + { + "type": "OpenCollective", + "url": "https://opencollective.com/unified" + } + ], + "license": "MIT" + }, + "node_modules/micromark-util-html-tag-name": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/micromark-util-html-tag-name/-/micromark-util-html-tag-name-2.0.1.tgz", + "integrity": "sha512-2cNEiYDhCWKI+Gs9T0Tiysk136SnR13hhO8yW6BGNyhOC4qYFnwF1nKfD3HFAIXA5c45RrIG1ub11GiXeYd1xA==", + "dev": true, + "funding": [ + { + "type": "GitHub Sponsors", + "url": "https://github.com/sponsors/unifiedjs" + }, + { + "type": "OpenCollective", + "url": "https://opencollective.com/unified" + } + ], + "license": "MIT" + }, + "node_modules/micromark-util-normalize-identifier": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/micromark-util-normalize-identifier/-/micromark-util-normalize-identifier-2.0.1.tgz", + "integrity": "sha512-sxPqmo70LyARJs0w2UclACPUUEqltCkJ6PhKdMIDuJ3gSf/Q+/GIe3WKl0Ijb/GyH9lOpUkRAO2wp0GVkLvS9Q==", + "dev": true, + "funding": [ + { + "type": "GitHub Sponsors", + "url": "https://github.com/sponsors/unifiedjs" + }, + { + "type": "OpenCollective", + "url": "https://opencollective.com/unified" + } + ], + "license": "MIT", + "dependencies": { + "micromark-util-symbol": "^2.0.0" + } + }, + "node_modules/micromark-util-resolve-all": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/micromark-util-resolve-all/-/micromark-util-resolve-all-2.0.1.tgz", + "integrity": "sha512-VdQyxFWFT2/FGJgwQnJYbe1jjQoNTS4RjglmSjTUlpUMa95Htx9NHeYW4rGDJzbjvCsl9eLjMQwGeElsqmzcHg==", + "dev": true, + "funding": [ + { + "type": "GitHub Sponsors", + "url": "https://github.com/sponsors/unifiedjs" + }, + { + "type": "OpenCollective", + "url": "https://opencollective.com/unified" + } + ], + "license": "MIT", + "dependencies": { + "micromark-util-types": "^2.0.0" + } + }, + "node_modules/micromark-util-sanitize-uri": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/micromark-util-sanitize-uri/-/micromark-util-sanitize-uri-2.0.1.tgz", + "integrity": "sha512-9N9IomZ/YuGGZZmQec1MbgxtlgougxTodVwDzzEouPKo3qFWvymFHWcnDi2vzV1ff6kas9ucW+o3yzJK9YB1AQ==", + "dev": true, + "funding": [ + { + "type": "GitHub Sponsors", + "url": "https://github.com/sponsors/unifiedjs" + }, + { + "type": "OpenCollective", + "url": "https://opencollective.com/unified" + } + ], + "license": "MIT", + "dependencies": { + "micromark-util-character": "^2.0.0", + "micromark-util-encode": "^2.0.0", + "micromark-util-symbol": "^2.0.0" + } + }, + "node_modules/micromark-util-subtokenize": { + "version": "2.0.4", + "resolved": "https://registry.npmjs.org/micromark-util-subtokenize/-/micromark-util-subtokenize-2.0.4.tgz", + "integrity": "sha512-N6hXjrin2GTJDe3MVjf5FuXpm12PGm80BrUAeub9XFXca8JZbP+oIwY4LJSVwFUCL1IPm/WwSVUN7goFHmSGGQ==", + "dev": true, + "funding": [ + { + "type": "GitHub Sponsors", + "url": "https://github.com/sponsors/unifiedjs" + }, + { + "type": "OpenCollective", + "url": "https://opencollective.com/unified" + } + ], + "license": "MIT", + "dependencies": { + "devlop": "^1.0.0", + "micromark-util-chunked": "^2.0.0", + "micromark-util-symbol": "^2.0.0", + "micromark-util-types": "^2.0.0" + } + }, + "node_modules/micromark-util-symbol": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/micromark-util-symbol/-/micromark-util-symbol-2.0.1.tgz", + "integrity": "sha512-vs5t8Apaud9N28kgCrRUdEed4UJ+wWNvicHLPxCa9ENlYuAY31M0ETy5y1vA33YoNPDFTghEbnh6efaE8h4x0Q==", + "dev": true, + "funding": [ + { + "type": "GitHub Sponsors", + "url": "https://github.com/sponsors/unifiedjs" + }, + { + "type": "OpenCollective", + "url": "https://opencollective.com/unified" + } + ], + "license": "MIT" + }, + "node_modules/micromark-util-types": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/micromark-util-types/-/micromark-util-types-2.0.1.tgz", + "integrity": "sha512-534m2WhVTddrcKVepwmVEVnUAmtrx9bfIjNoQHRqfnvdaHQiFytEhJoTgpWJvDEXCO5gLTQh3wYC1PgOJA4NSQ==", + "dev": true, + "funding": [ + { + "type": "GitHub Sponsors", + "url": "https://github.com/sponsors/unifiedjs" + }, + { + "type": "OpenCollective", + "url": "https://opencollective.com/unified" + } + ], + "license": "MIT" + }, + "node_modules/minimatch": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", + "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", + "dev": true, + "dependencies": { + "brace-expansion": "^1.1.7" + }, + "engines": { + "node": "*" + } + }, + "node_modules/minimist": { + "version": "1.2.8", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", + "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==", + "dev": true, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/minipass": { + "version": "7.1.2", + "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz", + "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==", + "dev": true, + "license": "ISC", + "engines": { + "node": ">=16 || 14 >=14.17" + } + }, + "node_modules/ms": { + "version": "2.1.3", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", + "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==", + "dev": true, + "license": "MIT" + }, + "node_modules/once": { + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", + "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", + "dev": true, + "dependencies": { + "wrappy": "1" + } + }, + "node_modules/package-json-from-dist": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/package-json-from-dist/-/package-json-from-dist-1.0.1.tgz", + "integrity": "sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw==", + "dev": true, + "license": "BlueOak-1.0.0" + }, + "node_modules/parse-entities": { + "version": "4.0.2", + "resolved": "https://registry.npmjs.org/parse-entities/-/parse-entities-4.0.2.tgz", + "integrity": "sha512-GG2AQYWoLgL877gQIKeRPGO1xF9+eG1ujIb5soS5gPvLQ1y2o8FL90w2QWNdf9I361Mpp7726c+lj3U0qK1uGw==", + "dev": true, + "license": "MIT", + "dependencies": { + "@types/unist": "^2.0.0", + "character-entities-legacy": "^3.0.0", + "character-reference-invalid": "^2.0.0", + "decode-named-character-reference": "^1.0.0", + "is-alphanumerical": "^2.0.0", + "is-decimal": "^2.0.0", + "is-hexadecimal": "^2.0.0" + }, + "funding": { + "type": "github", + "url": "https://github.com/sponsors/wooorm" + } + }, + "node_modules/path-is-absolute": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz", + "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==", + "dev": true, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/path-key": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/path-key/-/path-key-3.1.1.tgz", + "integrity": "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/punycode.js": { + "version": "2.3.1", + "resolved": "https://registry.npmjs.org/punycode.js/-/punycode.js-2.3.1.tgz", + "integrity": "sha512-uxFIHU0YlHYhDQtV4R9J6a52SLx28BCjT+4ieh7IGbgwVJWO+km431c4yRlREUAsAmt/uMjQUyQHNEPf0M39CA==", + "dev": true, + "engines": { + "node": ">=6" + } + }, + "node_modules/repeat-string": { + "version": "1.6.1", + "resolved": "https://registry.npmjs.org/repeat-string/-/repeat-string-1.6.1.tgz", + "integrity": "sha512-PV0dzCYDNfRi1jCDbJzpW7jNNDRuCOG/jI5ctQcGKt/clZD+YcPS3yIlWuTJMmESC8aevCFmWJy5wjAFgNqN6w==", + "dev": true, + "engines": { + "node": ">=0.10" + } + }, + "node_modules/run-con": { + "version": "1.3.2", + "resolved": "https://registry.npmjs.org/run-con/-/run-con-1.3.2.tgz", + "integrity": "sha512-CcfE+mYiTcKEzg0IqS08+efdnH0oJ3zV0wSUFBNrMHMuxCtXvBCLzCJHatwuXDcu/RlhjTziTo/a1ruQik6/Yg==", + "dev": true, + "dependencies": { + "deep-extend": "^0.6.0", + "ini": "~4.1.0", + "minimist": "^1.2.8", + "strip-json-comments": "~3.1.1" + }, + "bin": { + "run-con": "cli.js" + } + }, + "node_modules/shebang-command": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz", + "integrity": "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==", + "dev": true, + "dependencies": { + "shebang-regex": "^3.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/shebang-regex": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/shebang-regex/-/shebang-regex-3.0.0.tgz", + "integrity": "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/signal-exit": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.0.1.tgz", + "integrity": "sha512-uUWsN4aOxJAS8KOuf3QMyFtgm1pkb6I+KRZbRF/ghdf5T7sM+B1lLLzPDxswUjkmHyxQAVzEgG35E3NzDM9GVw==", + "dev": true, + "engines": { + "node": ">=14" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/smol-toml": { + "version": "1.3.1", + "resolved": "https://registry.npmjs.org/smol-toml/-/smol-toml-1.3.1.tgz", + "integrity": "sha512-tEYNll18pPKHroYSmLLrksq233j021G0giwW7P3D24jC54pQ5W5BXMsQ/Mvw1OJCmEYDgY+lrzT+3nNUtoNfXQ==", + "dev": true, + "license": "BSD-3-Clause", + "engines": { + "node": ">= 18" + }, + "funding": { + "url": "https://github.com/sponsors/cyyynthia" + } + }, + "node_modules/string-width": { + "version": "5.1.2", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-5.1.2.tgz", + "integrity": "sha512-HnLOCR3vjcY8beoNLtcjZ5/nxn2afmME6lhrDrebokqMap+XbeW8n9TXpPDOqdGK5qcI3oT0GKTW6wC7EMiVqA==", + "dev": true, + "dependencies": { + "eastasianwidth": "^0.2.0", + "emoji-regex": "^9.2.2", + "strip-ansi": "^7.0.1" + }, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/string-width-cjs": { + "name": "string-width", + "version": "4.2.3", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", + "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", + "dev": true, + "dependencies": { + "emoji-regex": "^8.0.0", + "is-fullwidth-code-point": "^3.0.0", + "strip-ansi": "^6.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/string-width-cjs/node_modules/ansi-regex": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", + "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/string-width-cjs/node_modules/emoji-regex": { + "version": "8.0.0", + "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", + "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", + "dev": true + }, + "node_modules/string-width-cjs/node_modules/strip-ansi": { + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", + "dev": true, + "dependencies": { + "ansi-regex": "^5.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/strip-ansi": { + "version": "7.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.0.1.tgz", + "integrity": "sha512-cXNxvT8dFNRVfhVME3JAe98mkXDYN2O1l7jmcwMnOslDeESg1rF/OZMtK0nRAhiari1unG5cD4jG3rapUAkLbw==", + "dev": true, + "dependencies": { + "ansi-regex": "^6.0.1" + }, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/strip-ansi?sponsor=1" + } + }, + "node_modules/strip-ansi-cjs": { + "name": "strip-ansi", + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", + "dev": true, + "dependencies": { + "ansi-regex": "^5.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/strip-ansi-cjs/node_modules/ansi-regex": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", + "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/strip-json-comments": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-3.1.1.tgz", + "integrity": "sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig==", + "dev": true, + "engines": { + "node": ">=8" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/uc.micro": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/uc.micro/-/uc.micro-2.1.0.tgz", + "integrity": "sha512-ARDJmphmdvUk6Glw7y9DQ2bFkKBHwQHLi2lsaH6PPmz/Ka9sFOBsBluozhDltWmnv9u/cF6Rt87znRTPV+yp/A==", + "dev": true + }, + "node_modules/which": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz", + "integrity": "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==", + "dev": true, + "dependencies": { + "isexe": "^2.0.0" + }, + "bin": { + "node-which": "bin/node-which" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/wrap-ansi": { + "version": "8.1.0", + "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-8.1.0.tgz", + "integrity": "sha512-si7QWI6zUMq56bESFvagtmzMdGOtoxfR+Sez11Mobfc7tm+VkUckk9bW2UeffTGVUbOksxmSw0AA2gs8g71NCQ==", + "dev": true, + "dependencies": { + "ansi-styles": "^6.1.0", + "string-width": "^5.0.1", + "strip-ansi": "^7.0.1" + }, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/wrap-ansi?sponsor=1" + } + }, + "node_modules/wrap-ansi-cjs": { + "name": "wrap-ansi", + "version": "7.0.0", + "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz", + "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==", + "dev": true, + "dependencies": { + "ansi-styles": "^4.0.0", + "string-width": "^4.1.0", + "strip-ansi": "^6.0.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/chalk/wrap-ansi?sponsor=1" + } + }, + "node_modules/wrap-ansi-cjs/node_modules/ansi-regex": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", + "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/wrap-ansi-cjs/node_modules/ansi-styles": { + "version": "4.3.0", + "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz", + "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==", + "dev": true, + "dependencies": { + "color-convert": "^2.0.1" + }, + "engines": { + "node": ">=8" + }, + "funding": { + "url": "https://github.com/chalk/ansi-styles?sponsor=1" + } + }, + "node_modules/wrap-ansi-cjs/node_modules/emoji-regex": { + "version": "8.0.0", + "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", + "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", + "dev": true + }, + "node_modules/wrap-ansi-cjs/node_modules/string-width": { + "version": "4.2.3", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", + "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", + "dev": true, + "dependencies": { + "emoji-regex": "^8.0.0", + "is-fullwidth-code-point": "^3.0.0", + "strip-ansi": "^6.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/wrap-ansi-cjs/node_modules/strip-ansi": { + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", + "dev": true, + "dependencies": { + "ansi-regex": "^5.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/wrappy": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", + "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==", + "dev": true + }, + "node_modules/yaml": { + "version": "2.7.0", + "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.7.0.tgz", + "integrity": "sha512-+hSoy/QHluxmC9kCIJyL/uyFmLmc+e5CFR5Wa+bpIhIj85LVb9ZH2nVnqrHoSvKogwODv0ClqZkmiSSaIH5LTA==", + "dev": true, + "license": "ISC", + "bin": { + "yaml": "bin.mjs" + }, + "engines": { + "node": ">= 14" + } + } + } +} diff --git a/charts/helm-gitea/package.json b/charts/helm-gitea/package.json new file mode 100644 index 0000000..1a90d83 --- /dev/null +++ b/charts/helm-gitea/package.json @@ -0,0 +1,19 @@ +{ + "name": "gitea-helm", + "homepage": "https://gitea.com/gitea/helm-gitea.git", + "license": "MIT", + "private": true, + "engineStrict": true, + "engines": { + "node": ">=16.0.0", + "npm": ">=8.0.0" + }, + "scripts": { + "readme:lint": "markdownlint *.md -f", + "readme:parameters": "readme-generator -v values.yaml -r README.md" + }, + "devDependencies": { + "@bitnami/readme-generator-for-helm": "^2.5.0", + "markdownlint-cli": "^0.44.0" + } +} \ No newline at end of file diff --git a/charts/helm-gitea/renovate.json5 b/charts/helm-gitea/renovate.json5 new file mode 100644 index 0000000..7ac2dee --- /dev/null +++ b/charts/helm-gitea/renovate.json5 @@ -0,0 +1,124 @@ +{ + $schema: 'https://docs.renovatebot.com/renovate-schema.json', + extends: [ + 'gitea>gitea/renovate-config', + ':automergeMinor', + 'schedule:automergeDaily', + 'schedule:weekends', + ], + labels: [ + 'kind/dependency', + ], + digest: { + automerge: true, + }, + automergeStrategy: 'squash', + 'git-submodules': { + enabled: true, + }, + customManagers: [ + { + description: 'Gitea-version of https://docs.renovatebot.com/presets-regexManagers/#regexmanagersgithubactionsversions', + customType: 'regex', + managerFilePatterns: [ + '/.gitea/workflows/.+\\.ya?ml$/', + ], + matchStrings: [ + '# renovate: datasource=(?[a-z-.]+?) depName=(?[^\\s]+?)(?: (?:lookupName|packageName)=(?[^\\s]+?))?(?: versioning=(?[a-z-0-9]+?))?\\s+[A-Za-z0-9_]+?_VERSION\\s*:\\s*["\']?(?.+?)["\']?\\s', + ], + }, + { + description: 'Detect helm-unittest yaml schema file', + customType: 'regex', + managerFilePatterns: [ + '/.vscode/settings\\.json$/', + ], + matchStrings: [ + 'https:\\/\\/raw\\.githubusercontent\\.com\\/(?[^\\s]+?)\\/(?v[0-9.]+?)\\/schema\\/helm-testsuite\\.json', + ], + datasourceTemplate: 'github-releases', + }, + { + description: 'Automatically detect new Gitea releases', + customType: 'regex', + managerFilePatterns: [ + '/(^|/)Chart\\.yaml$/', + ], + matchStrings: [ + '# renovate datasource=(?\\S+) depName=(?\\S+) extractVersion=(?\\S+)\\nappVersion:\\s?(?\\S+)\\n', + ], + }, + ], + packageRules: [ + { + groupName: 'subcharts (minor & patch)', + matchManagers: [ + 'helmv3', + ], + matchUpdateTypes: [ + 'minor', + 'patch', + 'digest', + ], + }, + { + groupName: 'bats testing framework', + matchManagers: [ + 'git-submodules', + ], + matchUpdateTypes: [ + 'minor', + 'patch', + 'digest', + ], + }, + { + groupName: 'workflow dependencies (minor & patch)', + matchManagers: [ + 'github-actions', + 'npm', + 'custom.regex', + ], + matchUpdateTypes: [ + 'minor', + 'patch', + 'digest', + ], + matchFileNames: [ + '!Chart.yaml', + ], + }, + { + description: 'Update README.md on changes in values.yaml', + matchManagers: [ + 'helm-values', + ], + postUpgradeTasks: { + commands: [ + 'install-tool node', + 'make readme', + ], + fileFilters: [ + 'README.md', + ], + executionMode: 'update', + }, + }, + { + description: 'Override changelog url for Helm image, to have release notes in our PRs', + matchDepNames: [ + 'alpine/helm', + ], + changelogUrl: 'https://github.com/helm/helm', + }, + { + description: 'Bump Gitea as fast as possible - not only on weekends', + matchDepNames: [ + 'go-gitea/gitea', + ], + schedule: [ + 'at any time', + ], + }, + ], +} diff --git a/charts/helm-gitea/scripts/act_runner/token.sh b/charts/helm-gitea/scripts/act_runner/token.sh new file mode 100644 index 0000000..cbb2ebd --- /dev/null +++ b/charts/helm-gitea/scripts/act_runner/token.sh @@ -0,0 +1,43 @@ +#!/bin/sh + +set -eu + +timeout_delay=15 + +check_token() { + set +e + + echo "Checking for existing token..." + token="$(kubectl get secret "$SECRET_NAME" -o jsonpath="{.data['token']}" 2> /dev/null)" + [ $? -ne 0 ] && return 1 + [ -z "$token" ] && return 2 + return 0 +} + +create_token() { + echo "Waiting for new token to be generated..." + begin=$(date +%s) + end=$((begin + timeout_delay)) + while true; do + [ -f /data/actions/token ] && return 0 + [ "$(date +%s)" -gt $end ] && return 1 + sleep 5 + done +} + +store_token() { + echo "Storing the token in Kubernetes secret..." + kubectl patch secret "$SECRET_NAME" -p "{\"data\":{\"token\":\"$(base64 /data/actions/token | tr -d '\n')\"}}" +} + +if check_token; then + echo "Key already in place, exiting." + exit +fi + +if ! create_token; then + echo "Checking for an existing act runner token in secret $SECRET_NAME timed out after $timeout_delay" + exit 1 +fi + +store_token diff --git a/charts/helm-gitea/scripts/init-containers/config/config_environment.sh b/charts/helm-gitea/scripts/init-containers/config/config_environment.sh new file mode 100644 index 0000000..ed00ea6 --- /dev/null +++ b/charts/helm-gitea/scripts/init-containers/config/config_environment.sh @@ -0,0 +1,154 @@ +#!/usr/bin/env bash +set -euo pipefail + +function env2ini::log() { + printf "${1}\n" +} + +function env2ini::read_config_to_env() { + local section="${1}" + local line="${2}" + + if [[ -z "${line}" ]]; then + # skip empty line + return + fi + + # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line + local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)" + + if [[ -z "${setting}" ]]; then + env2ini::log ' ! invalid setting' + exit 1 + fi + + local value='' + local regex="^${setting}(\s*)=(\s*)(.*)" + if [[ $line =~ $regex ]]; then + value="${BASH_REMATCH[3]}" + else + env2ini::log ' ! invalid setting' + exit 1 + fi + + env2ini::log " + '${setting}'" + + if [[ -z "${section}" ]]; then + export "GITEA____${setting^^}=${value}" # '^^' makes the variable content uppercase + return + fi + + local masked_section="${section//./_0X2E_}" # '//' instructs to replace all matches + masked_section="${masked_section//-/_0X2D_}" + + export "GITEA__${masked_section^^}__${setting^^}=${value}" # '^^' makes the variable content uppercase +} + +function env2ini::reload_preset_envs() { + env2ini::log "Reloading preset envs..." + + while read -r line; do + if [[ -z "${line}" ]]; then + # skip empty line + return + fi + + # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line + local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)" + + if [[ -z "${setting}" ]]; then + env2ini::log ' ! invalid setting' + exit 1 + fi + + local value='' + local regex="^${setting}(\s*)=(\s*)(.*)" + if [[ $line =~ $regex ]]; then + value="${BASH_REMATCH[3]}" + else + env2ini::log ' ! invalid setting' + exit 1 + fi + + env2ini::log " + '${setting}'" + + export "${setting^^}=${value}" # '^^' makes the variable content uppercase + done < "$TMP_EXISTING_ENVS_FILE" + + rm $TMP_EXISTING_ENVS_FILE +} + + +function env2ini::process_config_file() { + local config_file="${1}" + local section="$(basename "${config_file}")" + + if [[ $section == '_generals_' ]]; then + env2ini::log " [ini root]" + section='' + else + env2ini::log " ${section}" + fi + + while read -r line; do + env2ini::read_config_to_env "${section}" "${line}" + done < <(awk 1 "${config_file}") # Helm .toYaml trims the trailing new line which breaks line processing; awk 1 ... adds it back while reading +} + +function env2ini::load_config_sources() { + local path="${1}" + + if [[ -d "${path}" ]]; then + env2ini::log "Processing $(basename "${path}")..." + + while read -d '' configFile; do + env2ini::process_config_file "${configFile}" + done < <(find "${path}" -type l -not -name '..data' -print0) + + env2ini::log "\n" + fi +} + +function env2ini::generate_initial_secrets() { + # These environment variables will either be + # - overwritten with user defined values, + # - initially used to set up Gitea + # Anyway, they won't harm existing app.ini files + + export GITEA__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN) + export GITEA__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY) + export GITEA__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET) + export GITEA__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET) + + env2ini::log "...Initial secrets generated\n" +} + +# save existing envs prior to script execution. Necessary to keep order of preexisting and custom envs +env | (grep -e '^GITEA__' || [[ $? == 1 ]]) > $TMP_EXISTING_ENVS_FILE + +# MUST BE CALLED BEFORE OTHER CONFIGURATION +env2ini::generate_initial_secrets + +env2ini::load_config_sources "$ENV_TO_INI_MOUNT_POINT/inlines/" +env2ini::load_config_sources "$ENV_TO_INI_MOUNT_POINT/additionals/" + +# load existing envs to override auto generated envs +env2ini::reload_preset_envs + +env2ini::log "=== All configuration sources loaded ===\n" + +# safety to prevent rewrite of secret keys if an app.ini already exists +if [ -f ${GITEA_APP_INI} ]; then + env2ini::log 'An app.ini file already exists. To prevent overwriting secret keys, these settings are dropped and remain unchanged:' + env2ini::log ' - security.INTERNAL_TOKEN' + env2ini::log ' - security.SECRET_KEY' + env2ini::log ' - oauth2.JWT_SECRET' + env2ini::log ' - server.LFS_JWT_SECRET' + + unset GITEA__SECURITY__INTERNAL_TOKEN + unset GITEA__SECURITY__SECRET_KEY + unset GITEA__OAUTH2__JWT_SECRET + unset GITEA__SERVER__LFS_JWT_SECRET +fi + +environment-to-ini -o $GITEA_APP_INI diff --git a/charts/helm-gitea/scripts/init-containers/init/configure_gpg_environment.sh b/charts/helm-gitea/scripts/init-containers/init/configure_gpg_environment.sh new file mode 100644 index 0000000..894eb1d --- /dev/null +++ b/charts/helm-gitea/scripts/init-containers/init/configure_gpg_environment.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +set -eu + +gpg --batch --import "$TMP_RAW_GPG_KEY" diff --git a/charts/helm-gitea/templates/NOTES.txt b/charts/helm-gitea/templates/NOTES.txt new file mode 100644 index 0000000..ad5a8fa --- /dev/null +++ b/charts/helm-gitea/templates/NOTES.txt @@ -0,0 +1,36 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.http.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "gitea.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.http.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "gitea.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "gitea.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.http.type }} + echo "Visit http://127.0.0.1:{{ .Values.service.http.port }} to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward svc/{{ .Release.Name }}-http {{ .Values.service.http.port }}:{{ .Values.service.http.port }} +{{- end }} +{{- $warnings := list -}} +{{- if eq (get .Values.gitea.config.cache "ADAPTER") "memory" -}} + {{- $warnings = append $warnings "Gitea uses 'memory' for caching which is not recommended for production use. See https://docs.gitea.com/next/administration/config-cheat-sheet#cache-cache for available options." -}} +{{- end }} +{{- if eq (get .Values.gitea.config.queue "TYPE") "level" -}} + {{- $warnings = append $warnings "Gitea uses 'leveldb' for queue actions which is not recommended for production use. See https://docs.gitea.com/next/administration/config-cheat-sheet#queue-queue-and-queue for available options." -}} +{{- end }} +{{- if eq (get .Values.gitea.config.session "PROVIDER") "memory" -}} + {{- $warnings = append $warnings "Gitea uses 'memory' for sessions which is not recommended for production use. See https://docs.gitea.com/next/administration/config-cheat-sheet#session-session for available options." -}} +{{- end }} +{{- if gt (len $warnings) 0 }} +2. Review these warnings: +{{- range $warnings }} + - {{ . }} +{{- end }} +{{- end }} diff --git a/charts/helm-gitea/templates/_helpers.tpl b/charts/helm-gitea/templates/_helpers.tpl new file mode 100644 index 0000000..ee9c92b --- /dev/null +++ b/charts/helm-gitea/templates/_helpers.tpl @@ -0,0 +1,471 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} + +{{- define "gitea.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "gitea.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default worker name. +*/}} +{{- define "gitea.workername" -}} +{{- printf "%s-%s" .global.Release.Name .worker | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "gitea.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create image name and tag used by the deployment. +*/}} +{{- define "gitea.image" -}} +{{- $fullOverride := .Values.image.fullOverride | default "" -}} +{{- $registry := .Values.global.imageRegistry | default .Values.image.registry -}} +{{- $repository := .Values.image.repository -}} +{{- $separator := ":" -}} +{{- $tag := .Values.image.tag | default .Chart.AppVersion | toString -}} +{{- $rootless := ternary "-rootless" "" (.Values.image.rootless) -}} +{{- $digest := "" -}} +{{- if .Values.image.digest }} + {{- $digest = (printf "@%s" (.Values.image.digest | toString)) -}} +{{- end -}} +{{- if $fullOverride }} + {{- printf "%s" $fullOverride -}} +{{- else if $registry }} + {{- printf "%s/%s%s%s%s%s" $registry $repository $separator $tag $rootless $digest -}} +{{- else -}} + {{- printf "%s%s%s%s%s" $repository $separator $tag $rootless $digest -}} +{{- end -}} +{{- end -}} + +{{/* +Docker Image Registry Secret Names evaluating values as templates +*/}} +{{- define "gitea.images.pullSecrets" -}} +{{- $pullSecrets := .Values.imagePullSecrets -}} +{{- range .Values.global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets (dict "name" .) -}} +{{- end -}} +{{- if (not (empty $pullSecrets)) }} +imagePullSecrets: +{{ toYaml $pullSecrets }} +{{- end }} +{{- end -}} + + +{{/* +Storage Class +*/}} +{{- define "gitea.persistence.storageClass" -}} +{{- $storageClass := (tpl ( default "" .Values.persistence.storageClass) .) | default (tpl ( default "" .Values.global.storageClass) .) }} +{{- if $storageClass }} +storageClassName: {{ $storageClass | quote }} +{{- end }} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "gitea.labels" -}} +helm.sh/chart: {{ include "gitea.chart" . }} +app: {{ include "gitea.name" . }} +{{ include "gitea.selectorLabels" . }} +app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} +version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{- define "gitea.labels.actRunner" -}} +helm.sh/chart: {{ include "gitea.chart" . }} +app: {{ include "gitea.name" . }}-act-runner +{{ include "gitea.selectorLabels.actRunner" . }} +app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} +version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "gitea.selectorLabels" -}} +app.kubernetes.io/name: {{ include "gitea.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{- define "gitea.selectorLabels.actRunner" -}} +app.kubernetes.io/name: {{ include "gitea.name" . }}-act-runner +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{- define "postgresql-ha.dns" -}} +{{- if (index .Values "postgresql-ha").enabled -}} +{{- printf "%s-postgresql-ha-pgpool.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "postgresql-ha" "service" "ports" "postgresql") -}} +{{- end -}} +{{- end -}} + +{{- define "postgresql.dns" -}} +{{- if (index .Values "postgresql").enabled -}} +{{- printf "%s-postgresql.%s.svc.%s:%g" .Release.Name .Release.Namespace .Values.clusterDomain .Values.postgresql.global.postgresql.service.ports.postgresql -}} +{{- end -}} +{{- end -}} + +{{- define "valkey.dns" -}} +{{- if and ((index .Values "valkey-cluster").enabled) ((index .Values "valkey").enabled) -}} +{{- fail "valkey and valkey-cluster cannot be enabled at the same time. Please only choose one." -}} +{{- else if (index .Values "valkey-cluster").enabled -}} +{{- printf "redis+cluster://:%s@%s-valkey-cluster-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "valkey-cluster").global.valkey.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "valkey-cluster").service.ports.valkey -}} +{{- else if (index .Values "valkey").enabled -}} +{{- printf "redis://:%s@%s-valkey-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "valkey").global.valkey.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "valkey").master.service.ports.valkey -}} +{{- end -}} +{{- end -}} + +{{- define "valkey.port" -}} +{{- if (index .Values "valkey-cluster").enabled -}} +{{ (index .Values "valkey-cluster").service.ports.valkey }} +{{- else if (index .Values "valkey").enabled -}} +{{ (index .Values "valkey").master.service.ports.valkey }} +{{- end -}} +{{- end -}} + +{{- define "valkey.servicename" -}} +{{- if (index .Values "valkey-cluster").enabled -}} +{{- printf "%s-valkey-cluster-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}} +{{- else if (index .Values "valkey").enabled -}} +{{- printf "%s-valkey-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}} +{{- end -}} +{{- end -}} + +{{- define "gitea.default_domain" -}} +{{- printf "%s-http.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain -}} +{{- end -}} + +{{- define "gitea.ldap_settings" -}} +{{- $idx := index . 0 }} +{{- $values := index . 1 }} + +{{- if not (hasKey $values "bindDn") -}} +{{- $_ := set $values "bindDn" "" -}} +{{- end -}} + +{{- if not (hasKey $values "bindPassword") -}} +{{- $_ := set $values "bindPassword" "" -}} +{{- end -}} + +{{- $flags := list "notActive" "skipTlsVerify" "allowDeactivateAll" "synchronizeUsers" "attributesInBind" -}} +{{- range $key, $val := $values -}} +{{- if and (ne $key "enabled") (ne $key "existingSecret") -}} +{{- if eq $key "bindDn" -}} +{{- printf "--%s \"${GITEA_LDAP_BIND_DN_%d}\" " ($key | kebabcase) ($idx) -}} +{{- else if eq $key "bindPassword" -}} +{{- printf "--%s \"${GITEA_LDAP_PASSWORD_%d}\" " ($key | kebabcase) ($idx) -}} +{{- else if eq $key "port" -}} +{{- printf "--%s %d " $key ($val | int) -}} +{{- else if has $key $flags -}} +{{- printf "--%s " ($key | kebabcase) -}} +{{- else -}} +{{- printf "--%s %s " ($key | kebabcase) ($val | squote) -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "gitea.oauth_settings" -}} +{{- $idx := index . 0 }} +{{- $values := index . 1 }} + +{{- if not (hasKey $values "key") -}} +{{- $_ := set $values "key" (printf "${GITEA_OAUTH_KEY_%d}" $idx) -}} +{{- end -}} + +{{- if not (hasKey $values "secret") -}} +{{- $_ := set $values "secret" (printf "${GITEA_OAUTH_SECRET_%d}" $idx) -}} +{{- end -}} + +{{- range $key, $val := $values -}} +{{- if ne $key "existingSecret" -}} +{{- printf "--%s %s " ($key | kebabcase) ($val | quote) -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "gitea.public_protocol" -}} +{{- if and .Values.ingress.enabled (gt (len .Values.ingress.tls) 0) -}} +https +{{- else -}} +{{ .Values.gitea.config.server.PROTOCOL }} +{{- end -}} +{{- end -}} + +{{- define "gitea.inline_configuration" -}} + {{- include "gitea.inline_configuration.init" . -}} + {{- include "gitea.inline_configuration.defaults" . -}} + + {{- $generals := list -}} + {{- $inlines := dict -}} + + {{- range $key, $value := .Values.gitea.config }} + {{- if kindIs "map" $value }} + {{- if gt (len $value) 0 }} + {{- $section := default list (get $inlines $key) -}} + {{- range $n_key, $n_value := $value }} + {{- $section = append $section (printf "%s=%v" $n_key $n_value) -}} + {{- end }} + {{- $_ := set $inlines $key (join "\n" $section) -}} + {{- end -}} + {{- else }} + {{- if or (eq $key "APP_NAME") (eq $key "RUN_USER") (eq $key "RUN_MODE") -}} + {{- $generals = append $generals (printf "%s=%s" $key $value) -}} + {{- else -}} + {{- (printf "Key %s cannot be on top level of configuration" $key) | fail -}} + {{- end -}} + + {{- end }} + {{- end }} + + {{- $_ := set $inlines "_generals_" (join "\n" $generals) -}} + {{- toYaml $inlines -}} +{{- end -}} + +{{- define "gitea.inline_configuration.init" -}} + {{- if not (hasKey .Values.gitea.config "cache") -}} + {{- $_ := set .Values.gitea.config "cache" dict -}} + {{- end -}} + {{- if not (hasKey .Values.gitea.config "server") -}} + {{- $_ := set .Values.gitea.config "server" dict -}} + {{- end -}} + {{- if not (hasKey .Values.gitea.config "metrics") -}} + {{- $_ := set .Values.gitea.config "metrics" dict -}} + {{- end -}} + {{- if not (hasKey .Values.gitea.config "database") -}} + {{- $_ := set .Values.gitea.config "database" dict -}} + {{- end -}} + {{- if not (hasKey .Values.gitea.config "security") -}} + {{- $_ := set .Values.gitea.config "security" dict -}} + {{- end -}} + {{- if not .Values.gitea.config.repository -}} + {{- $_ := set .Values.gitea.config "repository" dict -}} + {{- end -}} + {{- if not (hasKey .Values.gitea.config "oauth2") -}} + {{- $_ := set .Values.gitea.config "oauth2" dict -}} + {{- end -}} + {{- if not (hasKey .Values.gitea.config "session") -}} + {{- $_ := set .Values.gitea.config "session" dict -}} + {{- end -}} + {{- if not (hasKey .Values.gitea.config "queue") -}} + {{- $_ := set .Values.gitea.config "queue" dict -}} + {{- end -}} + {{- if not (hasKey .Values.gitea.config "queue.issue_indexer") -}} + {{- $_ := set .Values.gitea.config "queue.issue_indexer" dict -}} + {{- end -}} + {{- if not (hasKey .Values.gitea.config "indexer") -}} + {{- $_ := set .Values.gitea.config "indexer" dict -}} + {{- end -}} + {{- if not (hasKey .Values.gitea.config "actions") -}} + {{- $_ := set .Values.gitea.config "actions" dict -}} + {{- end -}} +{{- end -}} + +{{- define "gitea.inline_configuration.defaults" -}} + {{- include "gitea.inline_configuration.defaults.server" . -}} + {{- include "gitea.inline_configuration.defaults.database" . -}} + + {{- if not .Values.gitea.config.repository.ROOT -}} + {{- $_ := set .Values.gitea.config.repository "ROOT" "/data/git/gitea-repositories" -}} + {{- end -}} + {{- if not .Values.gitea.config.security.INSTALL_LOCK -}} + {{- $_ := set .Values.gitea.config.security "INSTALL_LOCK" "true" -}} + {{- end -}} + {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}} + {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}} + {{- end -}} + {{- if and (not (hasKey .Values.gitea.config.metrics "TOKEN")) (.Values.gitea.metrics.token) (.Values.gitea.metrics.enabled) -}} + {{- $_ := set .Values.gitea.config.metrics "TOKEN" .Values.gitea.metrics.token -}} + {{- end -}} + {{- /* valkey queue */ -}} + {{- if or ((index .Values "valkey-cluster").enabled) ((index .Values "valkey").enabled) -}} + {{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}} + {{- $_ := set .Values.gitea.config.queue "CONN_STR" (include "valkey.dns" .) -}} + {{- $_ := set .Values.gitea.config.session "PROVIDER" "redis" -}} + {{- $_ := set .Values.gitea.config.session "PROVIDER_CONFIG" (include "valkey.dns" .) -}} + {{- $_ := set .Values.gitea.config.cache "ADAPTER" "redis" -}} + {{- $_ := set .Values.gitea.config.cache "HOST" (include "valkey.dns" .) -}} + {{- else -}} + {{- if not (get .Values.gitea.config.session "PROVIDER") -}} + {{- $_ := set .Values.gitea.config.session "PROVIDER" "memory" -}} + {{- end -}} + {{- if not (get .Values.gitea.config.session "PROVIDER_CONFIG") -}} + {{- $_ := set .Values.gitea.config.session "PROVIDER_CONFIG" "" -}} + {{- end -}} + {{- if not (get .Values.gitea.config.queue "TYPE") -}} + {{- $_ := set .Values.gitea.config.queue "TYPE" "level" -}} + {{- end -}} + {{- if not (get .Values.gitea.config.queue "CONN_STR") -}} + {{- $_ := set .Values.gitea.config.queue "CONN_STR" "" -}} + {{- end -}} + {{- if not (get .Values.gitea.config.cache "ADAPTER") -}} + {{- $_ := set .Values.gitea.config.cache "ADAPTER" "memory" -}} + {{- end -}} + {{- if not (get .Values.gitea.config.cache "HOST") -}} + {{- $_ := set .Values.gitea.config.cache "HOST" "" -}} + {{- end -}} + {{- end -}} + {{- if not .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE -}} + {{- $_ := set .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE" "db" -}} + {{- end -}} +{{- end -}} + +{{- define "gitea.inline_configuration.defaults.server" -}} + {{- if not (hasKey .Values.gitea.config.server "HTTP_PORT") -}} + {{- $_ := set .Values.gitea.config.server "HTTP_PORT" .Values.service.http.port -}} + {{- end -}} + {{- if not .Values.gitea.config.server.PROTOCOL -}} + {{- $_ := set .Values.gitea.config.server "PROTOCOL" "http" -}} + {{- end -}} + {{- if not (.Values.gitea.config.server.DOMAIN) -}} + {{- if gt (len .Values.ingress.hosts) 0 -}} + {{- $_ := set .Values.gitea.config.server "DOMAIN" ( tpl (index .Values.ingress.hosts 0).host $) -}} + {{- else -}} + {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}} + {{- end -}} + {{- end -}} + {{- if not .Values.gitea.config.server.ROOT_URL -}} + {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "gitea.public_protocol" .) .Values.gitea.config.server.DOMAIN) -}} + {{- end -}} + {{- if not .Values.gitea.config.server.SSH_DOMAIN -}} + {{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}} + {{- end -}} + {{- if not .Values.gitea.config.server.SSH_PORT -}} + {{- $_ := set .Values.gitea.config.server "SSH_PORT" .Values.service.ssh.port -}} + {{- end -}} + {{- if not (hasKey .Values.gitea.config.server "SSH_LISTEN_PORT") -}} + {{- if not .Values.image.rootless -}} + {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" .Values.gitea.config.server.SSH_PORT -}} + {{- else -}} + {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" "2222" -}} + {{- end -}} + {{- end -}} + {{- if not (hasKey .Values.gitea.config.server "START_SSH_SERVER") -}} + {{- if .Values.image.rootless -}} + {{- $_ := set .Values.gitea.config.server "START_SSH_SERVER" "true" -}} + {{- end -}} + {{- end -}} + {{- if not (hasKey .Values.gitea.config.server "APP_DATA_PATH") -}} + {{- $_ := set .Values.gitea.config.server "APP_DATA_PATH" "/data" -}} + {{- end -}} + {{- if not (hasKey .Values.gitea.config.server "ENABLE_PPROF") -}} + {{- $_ := set .Values.gitea.config.server "ENABLE_PPROF" false -}} + {{- end -}} +{{- end -}} + +{{- define "gitea.inline_configuration.defaults.database" -}} + {{- if (index .Values "postgresql-ha" "enabled") -}} + {{- $_ := set .Values.gitea.config.database "DB_TYPE" "postgres" -}} + {{- if not (.Values.gitea.config.database.HOST) -}} + {{- $_ := set .Values.gitea.config.database "HOST" (include "postgresql-ha.dns" .) -}} + {{- end -}} + {{- $_ := set .Values.gitea.config.database "NAME" (index .Values "postgresql-ha" "global" "postgresql" "database") -}} + {{- $_ := set .Values.gitea.config.database "USER" (index .Values "postgresql-ha" "global" "postgresql" "username") -}} + {{- $_ := set .Values.gitea.config.database "PASSWD" (index .Values "postgresql-ha" "global" "postgresql" "password") -}} + {{- end -}} + {{- if (index .Values "postgresql" "enabled") -}} + {{- $_ := set .Values.gitea.config.database "DB_TYPE" "postgres" -}} + {{- if not (.Values.gitea.config.database.HOST) -}} + {{- $_ := set .Values.gitea.config.database "HOST" (include "postgresql.dns" .) -}} + {{- end -}} + {{- $_ := set .Values.gitea.config.database "NAME" .Values.postgresql.global.postgresql.auth.database -}} + {{- $_ := set .Values.gitea.config.database "USER" .Values.postgresql.global.postgresql.auth.username -}} + {{- $_ := set .Values.gitea.config.database "PASSWD" .Values.postgresql.global.postgresql.auth.password -}} + {{- end -}} +{{- end -}} + +{{- define "gitea.init-additional-mounts" -}} + {{- /* Honor the deprecated extraVolumeMounts variable when defined */ -}} + {{- if gt (len .Values.extraInitVolumeMounts) 0 -}} + {{- toYaml .Values.extraInitVolumeMounts -}} + {{- else if gt (len .Values.extraVolumeMounts) 0 -}} + {{- toYaml .Values.extraVolumeMounts -}} + {{- end -}} +{{- end -}} + +{{- define "gitea.container-additional-mounts" -}} + {{- /* Honor the deprecated extraVolumeMounts variable when defined */ -}} + {{- if gt (len .Values.extraContainerVolumeMounts) 0 -}} + {{- toYaml .Values.extraContainerVolumeMounts -}} + {{- else if gt (len .Values.extraVolumeMounts) 0 -}} + {{- toYaml .Values.extraVolumeMounts -}} + {{- end -}} +{{- end -}} + +{{- define "gitea.gpg-key-secret-name" -}} +{{ default (printf "%s-gpg-key" (include "gitea.fullname" .)) .Values.signing.existingSecret }} +{{- end -}} + +{{- define "gitea.serviceAccountName" -}} +{{ .Values.serviceAccount.name | default (include "gitea.fullname" .) }} +{{- end -}} + +{{- define "ingress.annotations" -}} + {{- if .Values.ingress.annotations }} + annotations: + {{- $tp := typeOf .Values.ingress.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.ingress.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.ingress.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{- define "gitea.admin.passwordMode" -}} +{{- if has .Values.gitea.admin.passwordMode (tuple "keepUpdated" "initialOnlyNoReset" "initialOnlyRequireReset") -}} +{{ .Values.gitea.admin.passwordMode }} +{{- else -}} +{{ printf "gitea.admin.passwordMode must be set to one of 'keepUpdated', 'initialOnlyNoReset', or 'initialOnlyRequireReset'. Received: '%s'" .Values.gitea.admin.passwordMode | fail }} +{{- end -}} +{{- end -}} + +{{/* Create a functioning probe object for rendering. Given argument must be either a livenessProbe, readinessProbe, or startupProbe */}} +{{- define "gitea.deployment.probe" -}} + {{- $probe := unset . "enabled" -}} + {{- $probeKeys := keys $probe -}} + {{- $containsCustomMethod := false -}} + {{- $chartDefaultMethod := "tcpSocket" -}} + {{- $nonChartDefaultMethods := list "exec" "httpGet" "grpc" -}} + {{- range $probeKeys -}} + {{- if has . $nonChartDefaultMethods -}} + {{- $containsCustomMethod = true -}} + {{- end -}} + {{- end -}} + {{- if $containsCustomMethod -}} + {{- $probe = unset . $chartDefaultMethod -}} + {{- end -}} + {{- toYaml $probe -}} +{{- end -}} + +{{- define "gitea.metrics-secret-name" -}} +{{ default (printf "%s-metrics-secret" (include "gitea.fullname" .)) }} +{{- end -}} diff --git a/charts/helm-gitea/templates/gitea/check-actions-not-present.yaml b/charts/helm-gitea/templates/gitea/check-actions-not-present.yaml new file mode 100644 index 0000000..ad17bf6 --- /dev/null +++ b/charts/helm-gitea/templates/gitea/check-actions-not-present.yaml @@ -0,0 +1,3 @@ +{{- if .Values.actions -}} + {{- fail "The actions sub-chart has been outsourced to a dedicated chart available at https://gitea.com/gitea/helm-actions. For assistance with the migration process, check https://gitea.com/gitea/helm-actions/issues/9." -}} +{{- end -}} diff --git a/charts/helm-gitea/templates/gitea/config.yaml b/charts/helm-gitea/templates/gitea/config.yaml new file mode 100644 index 0000000..d5655a8 --- /dev/null +++ b/charts/helm-gitea/templates/gitea/config.yaml @@ -0,0 +1,57 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "gitea.fullname" . }}-inline-config + namespace: {{ .Values.namespace | default .Release.Namespace }} + labels: + {{- include "gitea.labels" . | nindent 4 }} +type: Opaque +stringData: + {{- include "gitea.inline_configuration" . | nindent 2 }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "gitea.fullname" . }} + namespace: {{ .Values.namespace | default .Release.Namespace }} + labels: + {{- include "gitea.labels" . | nindent 4 }} +type: Opaque +stringData: +{{ (.Files.Glob "scripts/init-containers/config/*.sh").AsConfig | indent 2 }} + assertions: | + + {{- /*assert that only one PG dep is enabled */ -}} + {{- if and (.Values.postgresql.enabled) (index .Values "postgresql-ha" "enabled") -}} + {{- fail "Only one of postgresql or postgresql-ha can be enabled at the same time." -}} + {{- end }} + + {{- /* multiple replicas assertions */ -}} + {{- if gt .Values.replicaCount 1.0 -}} + {{- if .Values.gitea.config.cron -}} + {{- if .Values.gitea.config.cron.GIT_GC_REPOS -}} + {{- if eq .Values.gitea.config.cron.GIT_GC_REPOS.ENABLED true -}} + {{ fail "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'gitea.config.cron.GIT_GC_REPOS.enabled = false'." }} + {{- end }} + {{- end }} + {{- end }} + + {{- if eq (first .Values.persistence.accessModes) "ReadWriteOnce" -}} + {{- fail "When using multiple replicas, a RWX file system is required and persistence.accessModes[0] must be set to ReadWriteMany." -}} + {{- end }} + {{- if .Values.gitea.config.indexer -}} + {{- if eq .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE "bleve" -}} + {{- fail "When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)." -}} + {{- end }} + {{- if .Values.gitea.config.indexer.REPO_INDEXER_TYPE -}} + {{- if eq .Values.gitea.config.indexer.REPO_INDEXER_TYPE "bleve" -}} + {{- if .Values.gitea.config.indexer.REPO_INDEXER_ENABLED -}} + {{- if eq .Values.gitea.config.indexer.REPO_INDEXER_ENABLED true -}} + {{- fail "When using multiple replicas, the repo indexer (gitea.config.indexer.REPO_INDEXER_TYPE) must be set to 'meilisearch' or 'elasticsearch' or disabled." -}} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + + {{- end }} diff --git a/charts/helm-gitea/templates/gitea/deployment.yaml b/charts/helm-gitea/templates/gitea/deployment.yaml new file mode 100644 index 0000000..87e1bbb --- /dev/null +++ b/charts/helm-gitea/templates/gitea/deployment.yaml @@ -0,0 +1,426 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "gitea.fullname" . }} + namespace: {{ .Values.namespace | default .Release.Namespace }} + annotations: + {{- if .Values.deployment.annotations }} + {{- toYaml .Values.deployment.annotations | nindent 4 }} + {{- end }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + {{- if .Values.deployment.labels }} + {{- toYaml .Values.deployment.labels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.replicaCount }} + strategy: + type: {{ .Values.strategy.type }} + {{- if eq .Values.strategy.type "RollingUpdate" }} + rollingUpdate: + maxUnavailable: {{ .Values.strategy.rollingUpdate.maxUnavailable }} + maxSurge: {{ .Values.strategy.rollingUpdate.maxSurge }} + {{- end }} + selector: + matchLabels: + {{- include "gitea.selectorLabels" . | nindent 6 }} + {{- if .Values.deployment.labels }} + {{- toYaml .Values.deployment.labels | nindent 6 }} + {{- end }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/gitea/config.yaml") . | sha256sum }} + {{- range $idx, $value := .Values.gitea.ldap }} + checksum/ldap_{{ $idx }}: {{ include "gitea.ldap_settings" (list $idx $value) | sha256sum }} + {{- end }} + {{- range $idx, $value := .Values.gitea.oauth }} + checksum/oauth_{{ $idx }}: {{ include "gitea.oauth_settings" (list $idx $value) | sha256sum }} + {{- end }} + {{- with .Values.gitea.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "gitea.labels" . | nindent 8 }} + {{- if .Values.deployment.labels }} + {{- toYaml .Values.deployment.labels | nindent 8 }} + {{- end }} + spec: + {{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName }}" + {{- end }} + {{- if (or .Values.serviceAccount.create .Values.serviceAccount.name) }} + serviceAccountName: {{ include "gitea.serviceAccountName" . }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: "{{ .Values.priorityClassName }}" + {{- end }} + {{- include "gitea.images.pullSecrets" . | nindent 6 }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + initContainers: + - name: init-directories + image: "{{ include "gitea.image" . }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - "{{ .Values.initContainersScriptsVolumeMountPath }}/init_directory_structure.sh" + env: + - name: GITEA_APP_INI + value: /data/gitea/conf/app.ini + - name: GITEA_CUSTOM + value: /data/gitea + - name: GITEA_WORK_DIR + value: /data + - name: GITEA_TEMP + value: /tmp/gitea + {{- if .Values.deployment.env }} + {{- toYaml .Values.deployment.env | nindent 12 }} + {{- end }} + {{- if .Values.signing.enabled }} + - name: GNUPGHOME + value: {{ .Values.signing.gpgHome }} + {{- end }} + volumeMounts: + - name: init + mountPath: {{ .Values.initContainersScriptsVolumeMountPath }} + - name: temp + mountPath: /tmp + - name: data + mountPath: /data + {{- if .Values.persistence.subPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + {{- include "gitea.init-additional-mounts" . | nindent 12 }} + securityContext: + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + resources: + {{- toYaml .Values.initContainers.resources | nindent 12 }} + - name: init-app-ini + image: "{{ include "gitea.image" . }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - "{{ .Values.initContainersScriptsVolumeMountPath }}/config_environment.sh" + env: + - name: GITEA_APP_INI + value: /data/gitea/conf/app.ini + - name: GITEA_CUSTOM + value: /data/gitea + - name: GITEA_WORK_DIR + value: /data + - name: GITEA_TEMP + value: /tmp/gitea + - name: TMP_EXISTING_ENVS_FILE + value: /tmp/existing-envs + - name: ENV_TO_INI_MOUNT_POINT + value: /env-to-ini-mounts + {{- if .Values.deployment.env }} + {{- toYaml .Values.deployment.env | nindent 12 }} + {{- end }} + {{- if .Values.gitea.additionalConfigFromEnvs }} + {{- tpl (toYaml .Values.gitea.additionalConfigFromEnvs) $ | nindent 12 }} + {{- end }} + volumeMounts: + - name: config + mountPath: {{ .Values.initContainersScriptsVolumeMountPath }} + - name: temp + mountPath: /tmp + - name: data + mountPath: /data + {{- if .Values.persistence.subPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + - name: inline-config-sources + mountPath: /env-to-ini-mounts/inlines/ + {{- range $idx, $value := .Values.gitea.additionalConfigSources }} + - name: additional-config-sources-{{ $idx }} + mountPath: "/env-to-ini-mounts/additionals/{{ $idx }}/" + {{- end }} + {{- include "gitea.init-additional-mounts" . | nindent 12 }} + securityContext: + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + resources: + {{- toYaml .Values.initContainers.resources | nindent 12 }} + {{- if .Values.signing.enabled }} + - name: configure-gpg + image: "{{ include "gitea.image" . }}" + command: + - "{{ .Values.initContainersScriptsVolumeMountPath }}/configure_gpg_environment.sh" + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + {{- /* By default this container runs as user 1000 unless otherwise stated */ -}} + {{- $csc := deepCopy .Values.containerSecurityContext -}} + {{- if not (hasKey $csc "runAsUser") -}} + {{- $_ := set $csc "runAsUser" 1000 -}} + {{- end -}} + {{- toYaml $csc | nindent 12 }} + env: + - name: GNUPGHOME + value: {{ .Values.signing.gpgHome }} + - name: TMP_RAW_GPG_KEY + value: /raw/private.asc + volumeMounts: + - name: init + mountPath: {{ .Values.initContainersScriptsVolumeMountPath }} + - name: data + mountPath: /data + {{- if .Values.persistence.subPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + - name: gpg-private-key + mountPath: /raw + readOnly: true + {{- if .Values.extraVolumeMounts }} + {{- toYaml .Values.extraVolumeMounts | nindent 12 }} + {{- end }} + resources: + {{- toYaml .Values.initContainers.resources | nindent 12 }} + {{- end }} + - name: configure-gitea + image: "{{ include "gitea.image" . }}" + command: + - "{{ .Values.initContainersScriptsVolumeMountPath }}/configure_gitea.sh" + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + {{- /* By default this container runs as user 1000 unless otherwise stated */ -}} + {{- $csc := deepCopy .Values.containerSecurityContext -}} + {{- if not (hasKey $csc "runAsUser") -}} + {{- $_ := set $csc "runAsUser" 1000 -}} + {{- end -}} + {{- toYaml $csc | nindent 12 }} + env: + - name: GITEA_APP_INI + value: /data/gitea/conf/app.ini + - name: GITEA_CUSTOM + value: /data/gitea + - name: GITEA_WORK_DIR + value: /data + - name: GITEA_TEMP + value: /tmp/gitea + {{- if .Values.image.rootless }} + - name: HOME + value: /data/gitea/git + {{- end }} + {{- if .Values.gitea.ldap }} + {{- range $idx, $value := .Values.gitea.ldap }} + {{- if $value.existingSecret }} + - name: GITEA_LDAP_BIND_DN_{{ $idx }} + valueFrom: + secretKeyRef: + key: bindDn + name: {{ $value.existingSecret }} + - name: GITEA_LDAP_PASSWORD_{{ $idx }} + valueFrom: + secretKeyRef: + key: bindPassword + name: {{ $value.existingSecret }} + {{- else }} + - name: GITEA_LDAP_BIND_DN_{{ $idx }} + value: {{ $value.bindDn | quote }} + - name: GITEA_LDAP_PASSWORD_{{ $idx }} + value: {{ $value.bindPassword | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.gitea.oauth }} + {{- range $idx, $value := .Values.gitea.oauth }} + {{- if $value.existingSecret }} + - name: GITEA_OAUTH_KEY_{{ $idx }} + valueFrom: + secretKeyRef: + key: key + name: {{ $value.existingSecret }} + - name: GITEA_OAUTH_SECRET_{{ $idx }} + valueFrom: + secretKeyRef: + key: secret + name: {{ $value.existingSecret }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.gitea.admin.existingSecret }} + - name: GITEA_ADMIN_USERNAME + valueFrom: + secretKeyRef: + key: username + name: {{ .Values.gitea.admin.existingSecret }} + - name: GITEA_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: {{ .Values.gitea.admin.existingSecret }} + {{- else }} + - name: GITEA_ADMIN_USERNAME + value: {{ .Values.gitea.admin.username | quote }} + - name: GITEA_ADMIN_PASSWORD + value: {{ .Values.gitea.admin.password | quote }} + {{- end }} + - name: GITEA_ADMIN_PASSWORD_MODE + value: {{ include "gitea.admin.passwordMode" $ }} + {{- if .Values.deployment.env }} + {{- toYaml .Values.deployment.env | nindent 12 }} + {{- end }} + volumeMounts: + - name: init + mountPath: {{ .Values.initContainersScriptsVolumeMountPath }} + - name: temp + mountPath: /tmp + - name: data + mountPath: /data + {{- if .Values.persistence.subPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + {{- include "gitea.init-additional-mounts" . | nindent 12 }} + resources: + {{- toYaml .Values.initContainers.resources | nindent 12 }} + terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }} + containers: + - name: {{ .Chart.Name }} + image: "{{ include "gitea.image" . }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + # SSH Port values have to be set here as well for openssh configuration + - name: SSH_LISTEN_PORT + value: {{ .Values.gitea.config.server.SSH_LISTEN_PORT | quote }} + - name: SSH_PORT + value: {{ .Values.gitea.config.server.SSH_PORT | quote }} + {{- if not .Values.image.rootless }} + - name: SSH_LOG_LEVEL + value: {{ .Values.gitea.ssh.logLevel | quote }} + {{- end }} + - name: GITEA_APP_INI + value: /data/gitea/conf/app.ini + - name: GITEA_CUSTOM + value: /data/gitea + - name: GITEA_WORK_DIR + value: /data + - name: GITEA_TEMP + value: /tmp/gitea + {{- if and (hasKey .Values.resources "limits") (hasKey .Values.resources.limits "cpu") }} + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + divisor: "1" + resource: limits.cpu + {{- end }} + - name: TMPDIR + value: /tmp/gitea + {{- if .Values.image.rootless }} + - name: HOME + value: /data/gitea/git + {{- end }} + {{- if .Values.signing.enabled }} + - name: GNUPGHOME + value: {{ .Values.signing.gpgHome }} + {{- end }} + {{- if .Values.deployment.env }} + {{- toYaml .Values.deployment.env | nindent 12 }} + {{- end }} + ports: + - name: ssh + containerPort: {{ .Values.gitea.config.server.SSH_LISTEN_PORT }} + {{- if .Values.service.ssh.hostPort }} + hostPort: {{ .Values.service.ssh.hostPort }} + {{- end }} + - name: http + containerPort: {{ .Values.gitea.config.server.HTTP_PORT }} + {{- if .Values.gitea.config.server.ENABLE_PPROF }} + - name: profiler + containerPort: 6060 + {{- end }} + {{- if .Values.gitea.livenessProbe.enabled }} + livenessProbe: + {{- include "gitea.deployment.probe" .Values.gitea.livenessProbe | nindent 12 }} + {{- end }} + {{- if .Values.gitea.readinessProbe.enabled }} + readinessProbe: + {{- include "gitea.deployment.probe" .Values.gitea.readinessProbe | nindent 12 }} + {{- end }} + {{- if .Values.gitea.startupProbe.enabled }} + startupProbe: + {{- include "gitea.deployment.probe" .Values.gitea.startupProbe | nindent 12 }} + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + securityContext: + {{- /* Honor the deprecated securityContext variable when defined */ -}} + {{- if .Values.containerSecurityContext -}} + {{ toYaml .Values.containerSecurityContext | nindent 12 -}} + {{- else -}} + {{ toYaml .Values.securityContext | nindent 12 -}} + {{- end }} + volumeMounts: + - name: temp + mountPath: /tmp + - name: data + mountPath: /data + {{- if .Values.persistence.subPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + {{- include "gitea.container-additional-mounts" . | nindent 12 }} + {{- if .Values.extraContainers }} + {{- toYaml .Values.extraContainers | nindent 8 }} + {{- end }} + {{- with .Values.global.hostAliases }} + hostAliases: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- range $key, $value := .Values.nodeSelector }} + nodeSelector: + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.dnsConfig }} + dnsConfig: + {{- toYaml .Values.dnsConfig | nindent 8 }} + {{- end }} + volumes: + - name: init + secret: + secretName: {{ include "gitea.fullname" . }}-init + defaultMode: 110 + - name: config + secret: + secretName: {{ include "gitea.fullname" . }} + defaultMode: 110 + {{- if gt (len .Values.extraVolumes) 0 }} + {{- toYaml .Values.extraVolumes | nindent 8 }} + {{- end }} + - name: inline-config-sources + secret: + secretName: {{ include "gitea.fullname" . }}-inline-config + {{- range $idx, $value := .Values.gitea.additionalConfigSources }} + - name: additional-config-sources-{{ $idx }} + {{- toYaml $value | nindent 10 }} + {{- end }} + - name: temp + emptyDir: {} + {{- if .Values.signing.enabled }} + - name: gpg-private-key + secret: + secretName: {{ include "gitea.gpg-key-secret-name" . }} + items: + - key: privateKey + path: private.asc + defaultMode: 0100 + {{- end }} + {{- if .Values.persistence.enabled }} + {{- if .Values.persistence.mount }} + - name: data + persistentVolumeClaim: + claimName: {{ .Values.persistence.claimName }} + {{- end }} + {{- else if not .Values.persistence.enabled }} + - name: data + emptyDir: {} + {{- end }} diff --git a/charts/helm-gitea/templates/gitea/deprecation.yaml b/charts/helm-gitea/templates/gitea/deprecation.yaml new file mode 100644 index 0000000..057c5bd --- /dev/null +++ b/charts/helm-gitea/templates/gitea/deprecation.yaml @@ -0,0 +1,34 @@ +{{- if .Values.checkDeprecation -}} + {{/* CUSTOM PROBES */}} + {{- if .Values.gitea.customLivenessProbe -}} + {{- fail "`gitea.customLivenessProbe` does no longer exist. Please refer to the changelog and configure `gitea.livenessProbe` instead." -}} + {{- end -}} + {{- if .Values.gitea.customReadinessProbe -}} + {{- fail "`gitea.customReadinessProbe` does no longer exist. Please refer to the changelog and configure `gitea.readinessProbe` instead." -}} + {{- end -}} + {{- if .Values.gitea.customStartupProbe -}} + {{- fail "`gitea.customStartupProbe` does no longer exist. Please refer to the changelog and configure `gitea.startupProbe` instead." -}} + {{- end -}} + + {{/* LDAP SOURCES */}} + {{- if kindIs "map" .Values.gitea.ldap -}} + {{- fail "You can configure multiple LDAP sources. Please refer to the changelog and switch `gitea.ldap` from object to array notation." -}} + {{- end -}} + + {{/* OAUTH SOURCES */}} + {{- if kindIs "map" .Values.gitea.oauth -}} + {{- fail "You can configure multiple OAuth sources. Please refer to the changelog and switch `gitea.oauth` from object to array notation." -}} + {{- end -}} + + {{/* BUILTIN */}} + {{- if .Values.gitea.cache -}} + {{- if .Values.gitea.cache.builtIn -}} + {{- fail "`gitea.cache.builtIn` does no longer exist. Please use `memcached` at root level instead." -}} + {{- end -}} + {{- end -}} + {{- if .Values.gitea.database -}} + {{- if .Values.gitea.database.builtIn -}} + {{- fail "`gitea.database.builtIn` does no longer exist. Builtin databases can be configured inside the dependencies itself. Please refer to the changelog." -}} + {{- end -}} + {{- end -}} +{{- end -}} diff --git a/charts/helm-gitea/templates/gitea/extra-list.yaml b/charts/helm-gitea/templates/gitea/extra-list.yaml new file mode 100644 index 0000000..62c0aca --- /dev/null +++ b/charts/helm-gitea/templates/gitea/extra-list.yaml @@ -0,0 +1,8 @@ +{{- range .Values.extraDeploy }} +--- +{{- if typeIs "string" . }} + {{- tpl . $ }} +{{- else }} + {{- tpl (. | toYaml) $ }} +{{- end }} +{{- end }} diff --git a/charts/helm-gitea/templates/gitea/gpg-secret.yaml b/charts/helm-gitea/templates/gitea/gpg-secret.yaml new file mode 100644 index 0000000..46633c8 --- /dev/null +++ b/charts/helm-gitea/templates/gitea/gpg-secret.yaml @@ -0,0 +1,17 @@ +{{- if .Values.signing.enabled -}} +{{- if and (empty .Values.signing.privateKey) (empty .Values.signing.existingSecret) -}} + {{- fail "Either specify `signing.privateKey` or `signing.existingSecret`" -}} +{{- end }} +{{- if and (not (empty .Values.signing.privateKey)) (empty .Values.signing.existingSecret) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "gitea.gpg-key-secret-name" . }} + namespace: {{ .Values.namespace | default .Release.Namespace }} + labels: + {{- include "gitea.labels" . | nindent 4 }} +type: Opaque +data: + privateKey: {{ .Values.signing.privateKey | b64enc }} +{{- end }} +{{- end }} diff --git a/charts/helm-gitea/templates/gitea/http-svc.yaml b/charts/helm-gitea/templates/gitea/http-svc.yaml new file mode 100644 index 0000000..28bd218 --- /dev/null +++ b/charts/helm-gitea/templates/gitea/http-svc.yaml @@ -0,0 +1,54 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gitea.fullname" . }}-http + namespace: {{ .Values.namespace | default .Release.Namespace }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + {{- if .Values.service.http.labels }} + {{- toYaml .Values.service.http.labels | nindent 4 }} + {{- end }} + annotations: + {{- toYaml .Values.service.http.annotations | nindent 4 }} +spec: + type: {{ .Values.service.http.type }} + {{- if eq .Values.service.http.type "LoadBalancer" }} + {{- if .Values.service.http.loadBalancerClass }} + loadBalancerClass: {{ .Values.service.http.loadBalancerClass }} + {{- end }} + {{- if and .Values.service.http.loadBalancerIP }} + loadBalancerIP: {{ .Values.service.http.loadBalancerIP }} + {{- end }} + {{- if .Values.service.http.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range .Values.service.http.loadBalancerSourceRanges }} + - {{ . }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.service.http.externalIPs }} + externalIPs: + {{- toYaml .Values.service.http.externalIPs | nindent 4 }} + {{- end }} + {{- if .Values.service.http.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.service.http.ipFamilyPolicy }} + {{- end }} + {{- with .Values.service.http.ipFamilies }} + ipFamilies: + {{- toYaml . | nindent 4 }} + {{- end -}} + {{- if .Values.service.http.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.service.http.externalTrafficPolicy }} + {{- end }} + {{- if and .Values.service.http.clusterIP (eq .Values.service.http.type "ClusterIP") }} + clusterIP: {{ .Values.service.http.clusterIP }} + {{- end }} + ports: + - name: http + port: {{ .Values.service.http.port }} + {{- if .Values.service.http.nodePort }} + nodePort: {{ .Values.service.http.nodePort }} + {{- end }} + targetPort: {{ .Values.gitea.config.server.HTTP_PORT }} + selector: + {{- include "gitea.selectorLabels" . | nindent 4 }} diff --git a/charts/helm-gitea/templates/gitea/ingress.yaml b/charts/helm-gitea/templates/gitea/ingress.yaml new file mode 100644 index 0000000..9312ffb --- /dev/null +++ b/charts/helm-gitea/templates/gitea/ingress.yaml @@ -0,0 +1,62 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "gitea.fullname" . -}} +{{- $httpPort := .Values.service.http.port -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }} + namespace: {{ .Values.namespace | default .Release.Namespace }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + annotations: + {{- range $key, $value := .Values.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + ingressClassName: {{ tpl .Values.ingress.className . }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ tpl . $ | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ tpl .host $ | quote }} + http: + paths: + {{- if .paths }} + {{- range .paths }} + {{- if kindIs "string" . }} + - path: {{ . }} + pathType: {{ default "Prefix" $.Values.ingress.pathType }} + backend: + service: + name: {{ $fullName }}-http + port: + number: {{ $httpPort }} + {{- else }} + - path: {{ .path | default "/" }} + pathType: {{ .pathType | default "Prefix" }} + backend: + service: + name: {{ $fullName }}-http + port: + number: {{ $httpPort }} + {{- end }} + {{- end }} + {{- else }} + - path: "/" + pathType: "Prefix" + backend: + service: + name: {{ $fullName }}-http + port: + number: {{ $httpPort }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/helm-gitea/templates/gitea/init.yaml b/charts/helm-gitea/templates/gitea/init.yaml new file mode 100644 index 0000000..2c30c9f --- /dev/null +++ b/charts/helm-gitea/templates/gitea/init.yaml @@ -0,0 +1,228 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "gitea.fullname" . }}-init + namespace: {{ .Values.namespace | default .Release.Namespace }} + labels: + {{- include "gitea.labels" . | nindent 4 }} +type: Opaque +stringData: +{{ (.Files.Glob "scripts/init-containers/init/*.sh").AsConfig | indent 2 }} + init_directory_structure.sh: |- + #!/usr/bin/env bash + + set -euo pipefail + + {{- if .Values.initPreScript }} + # BEGIN: initPreScript + {{- with .Values.initPreScript -}} + {{ . | nindent 4}} + {{- end -}} + # END: initPreScript + {{- end }} + + {{- if not .Values.image.rootless }} + chown -v 1000:1000 /data + {{- end }} + mkdir -pv /data/git/.ssh + chmod -Rv 700 /data/git/.ssh + [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf + + # prepare temp directory structure + mkdir -pv "${GITEA_TEMP}" + {{- if not .Values.image.rootless }} + chown -v 1000:1000 "${GITEA_TEMP}" + {{- end }} + chmod -v ug+rwx "${GITEA_TEMP}" + + {{ if .Values.signing.enabled -}} + if [ ! -d "${GNUPGHOME}" ]; then + mkdir -pv "${GNUPGHOME}" + chmod -v 700 "${GNUPGHOME}" + chown -v 1000:1000 "${GNUPGHOME}" + fi + {{- end }} + + configure_gitea.sh: |- + #!/usr/bin/env bash + + set -euo pipefail + + echo '==== BEGIN GITEA CONFIGURATION ====' + + { # try + gitea migrate + } || { # catch + echo "Gitea migrate might fail due to database connection...This init-container will try again in a few seconds" + exit 1 + } + + {{- if include "valkey.servicename" . }} + function test_valkey_connection() { + local RETRY=0 + local MAX=30 + + echo 'Wait for valkey to become avialable...' + until [ "${RETRY}" -ge "${MAX}" ]; do + nc -vz -w2 {{ include "valkey.servicename" . }} {{ include "valkey.port" . }} && break + RETRY=$[${RETRY}+1] + echo "...not ready yet (${RETRY}/${MAX})" + done + + if [ "${RETRY}" -ge "${MAX}" ]; then + echo "Valkey not reachable after '${MAX}' attempts!" + exit 1 + fi + } + + test_valkey_connection + {{- end }} + + + {{- if or .Values.gitea.admin.existingSecret (and .Values.gitea.admin.username .Values.gitea.admin.password) }} + function configure_admin_user() { + local full_admin_list=$(gitea admin user list --admin) + local actual_user_table='' + + # We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line + local regex="(.*)(ID\s+Username\s+Email\s+IsActive.*)" + if [[ "${full_admin_list}" =~ $regex ]]; then + actual_user_table=$(echo "${BASH_REMATCH[2]}" | tail -n+2) # tail'ing to drop the table headline + else + # This code block should never be reached, as long as the output table header remains the same. + # If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script. + + echo "ERROR: 'configure_admin_user' was not able to determine the current list of admin users." + echo " Please review the output of 'gitea admin user list --admin' shown below." + echo " If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-gitea/issues." + echo "DEBUG: Output of 'gitea admin user list --admin'" + echo "--" + echo "${full_admin_list}" + echo "--" + exit 1 + fi + + local ACCOUNT_ID=$(echo "${actual_user_table}" | grep -E "\s+${GITEA_ADMIN_USERNAME}\s+" | awk -F " " "{printf \$1}") + if [[ -z "${ACCOUNT_ID}" ]]; then + local -a create_args + create_args=(--admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }}) + if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = initialOnlyRequireReset ]]; then + create_args+=(--must-change-password=true) + else + create_args+=(--must-change-password=false) + fi + echo "No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now..." + gitea admin user create "${create_args[@]}" + echo '...created.' + else + if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = keepUpdated ]]; then + echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..." + # See https://gitea.com/gitea/helm-gitea/issues/673 + # --must-change-password argument was added to change-password, defaulting to true, counter to the previous behavior + # which acted as if it were provided with =false. If the argument is present in this version of gitea, then we + # should add it to prevent requiring frequent admin password resets. + local -a change_args + change_args=(--username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}") + if gitea admin user change-password --help | grep -qF -- '--must-change-password'; then + change_args+=(--must-change-password=false) + fi + gitea admin user change-password "${change_args[@]}" + echo '...password sync done.' + else + echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist, but update mode is set to '${GITEA_ADMIN_PASSWORD_MODE}'. Skipping." + fi + fi + } + + configure_admin_user + {{- end }} + + function configure_ldap() { + {{- if .Values.gitea.ldap }} + {{- range $idx, $value := .Values.gitea.ldap }} + local LDAP_NAME={{ (printf "%s" $value.name) | squote }} + local full_auth_list=$(gitea admin auth list --vertical-bars) + local actual_auth_table='' + + # We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line + local regex="(.*)(ID\s+\|Name\s+\|Type\s+\|Enabled.*)" + if [[ "${full_auth_list}" =~ $regex ]]; then + actual_auth_table=$(echo "${BASH_REMATCH[2]}" | tail -n+2) # tail'ing to drop the table headline + else + # This code block should never be reached, as long as the output table header remains the same. + # If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script. + + echo "ERROR: 'configure_ldap' was not able to determine the current list of authentication sources." + echo " Please review the output of 'gitea admin auth list --vertical-bars' shown below." + echo " If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-gitea/issues." + echo "DEBUG: Output of 'gitea admin auth list --vertical-bars'" + echo "--" + echo "${full_auth_list}" + echo "--" + exit 1 + fi + + local GITEA_AUTH_ID=$(echo "${actual_auth_table}" | grep -E "\|${LDAP_NAME}\s+\|" | grep -iE '\|LDAP \(via BindDN\)\s+\|' | awk -F " " "{print \$1}") + + if [[ -z "${GITEA_AUTH_ID}" ]]; then + echo "No ldap configuration found with name '${LDAP_NAME}'. Installing it now..." + gitea admin auth add-ldap {{- include "gitea.ldap_settings" (list $idx $value) | indent 1 }} + echo '...installed.' + else + echo "Existing ldap configuration with name '${LDAP_NAME}': '${GITEA_AUTH_ID}'. Running update to sync settings..." + gitea admin auth update-ldap --id "${GITEA_AUTH_ID}" {{- include "gitea.ldap_settings" (list $idx $value) | indent 1 }} + echo '...sync settings done.' + fi + {{- end }} + {{- else }} + echo 'no ldap configuration... skipping.' + {{- end }} + } + + configure_ldap + + function configure_oauth() { + {{- if .Values.gitea.oauth }} + {{- range $idx, $value := .Values.gitea.oauth }} + local OAUTH_NAME={{ (printf "%s" $value.name) | squote }} + local full_auth_list=$(gitea admin auth list --vertical-bars) + local actual_auth_table='' + + # We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line + local regex="(.*)(ID\s+\|Name\s+\|Type\s+\|Enabled.*)" + if [[ "${full_auth_list}" =~ $regex ]]; then + actual_auth_table=$(echo "${BASH_REMATCH[2]}" | tail -n+2) # tail'ing to drop the table headline + else + # This code block should never be reached, as long as the output table header remains the same. + # If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script. + + echo "ERROR: 'configure_oauth' was not able to determine the current list of authentication sources." + echo " Please review the output of 'gitea admin auth list --vertical-bars' shown below." + echo " If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-gitea/issues." + echo "DEBUG: Output of 'gitea admin auth list --vertical-bars'" + echo "--" + echo "${full_auth_list}" + echo "--" + exit 1 + fi + + local AUTH_ID=$(echo "${actual_auth_table}" | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " " "{print \$1}") + + if [[ -z "${AUTH_ID}" ]]; then + echo "No oauth configuration found with name '${OAUTH_NAME}'. Installing it now..." + gitea admin auth add-oauth {{- include "gitea.oauth_settings" (list $idx $value) | indent 1 }} + echo '...installed.' + else + echo "Existing oauth configuration with name '${OAUTH_NAME}': '${AUTH_ID}'. Running update to sync settings..." + gitea admin auth update-oauth --id "${AUTH_ID}" {{- include "gitea.oauth_settings" (list $idx $value) | indent 1 }} + echo '...sync settings done.' + fi + {{- end }} + {{- else }} + echo 'no oauth configuration... skipping.' + {{- end }} + } + + configure_oauth + + echo '==== END GITEA CONFIGURATION ====' \ No newline at end of file diff --git a/charts/helm-gitea/templates/gitea/metrics-secret.yaml b/charts/helm-gitea/templates/gitea/metrics-secret.yaml new file mode 100644 index 0000000..fe26596 --- /dev/null +++ b/charts/helm-gitea/templates/gitea/metrics-secret.yaml @@ -0,0 +1,12 @@ +{{- if and (.Values.gitea.metrics.enabled) (.Values.gitea.metrics.serviceMonitor.enabled) (.Values.gitea.metrics.token) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "gitea.metrics-secret-name" . }} + namespace: {{ .Values.namespace | default .Release.Namespace }} + labels: + {{- include "gitea.labels" . | nindent 4 }} +type: Opaque +data: + token: {{ .Values.gitea.metrics.token | b64enc }} +{{- end }} \ No newline at end of file diff --git a/charts/helm-gitea/templates/gitea/poddisruptionbudget.yaml b/charts/helm-gitea/templates/gitea/poddisruptionbudget.yaml new file mode 100644 index 0000000..270d5cf --- /dev/null +++ b/charts/helm-gitea/templates/gitea/poddisruptionbudget.yaml @@ -0,0 +1,18 @@ +{{- if .Values.podDisruptionBudget -}} +{{- if .Capabilities.APIVersions.Has "policy/v1" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ include "gitea.fullname" . }} + namespace: {{ .Values.namespace | default .Release.Namespace }} + labels: + {{- include "gitea.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "gitea.selectorLabels" . | nindent 6 }} + {{- toYaml .Values.podDisruptionBudget | nindent 2 }} +{{- end -}} \ No newline at end of file diff --git a/charts/helm-gitea/templates/gitea/pvc.yaml b/charts/helm-gitea/templates/gitea/pvc.yaml new file mode 100644 index 0000000..035dbc4 --- /dev/null +++ b/charts/helm-gitea/templates/gitea/pvc.yaml @@ -0,0 +1,26 @@ +{{- if and .Values.persistence.enabled .Values.persistence.create }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ .Values.persistence.claimName }} + namespace: {{ .Values.namespace | default .Release.Namespace }} + annotations: +{{ .Values.persistence.annotations | toYaml | indent 4}} + labels: +{{ .Values.persistence.labels | toYaml | indent 4}} +spec: + accessModes: + {{- if gt .Values.replicaCount 1.0 }} + - ReadWriteMany + {{- else }} + {{- .Values.persistence.accessModes | toYaml | nindent 4 }} + {{- end }} + volumeMode: Filesystem + {{- include "gitea.persistence.storageClass" . | nindent 2 }} + {{- with .Values.persistence.volumeName }} + volumeName: {{ . }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size }} +{{- end }} \ No newline at end of file diff --git a/charts/helm-gitea/templates/gitea/serviceaccount.yaml b/charts/helm-gitea/templates/gitea/serviceaccount.yaml new file mode 100644 index 0000000..0c211c5 --- /dev/null +++ b/charts/helm-gitea/templates/gitea/serviceaccount.yaml @@ -0,0 +1,21 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "gitea.serviceAccountName" . }} + namespace: {{ .Values.namespace | default .Release.Namespace }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.labels }} + {{- . | toYaml | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- . | toYaml | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- with .Values.serviceAccount.imagePullSecrets }} +imagePullSecrets: + {{- . | toYaml | nindent 2 }} +{{- end }} +{{- end }} diff --git a/charts/helm-gitea/templates/gitea/servicemonitor.yaml b/charts/helm-gitea/templates/gitea/servicemonitor.yaml new file mode 100644 index 0000000..502a1a8 --- /dev/null +++ b/charts/helm-gitea/templates/gitea/servicemonitor.yaml @@ -0,0 +1,43 @@ +{{- if and .Values.gitea.metrics.enabled .Values.gitea.metrics.serviceMonitor.enabled -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "gitea.fullname" . }} + namespace: {{ .Values.namespace | default .Release.Namespace }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + {{- if .Values.gitea.metrics.serviceMonitor.additionalLabels }} + {{- toYaml .Values.gitea.metrics.serviceMonitor.additionalLabels | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "gitea.selectorLabels" . | nindent 6 }} + endpoints: + - port: http + {{- if .Values.gitea.metrics.serviceMonitor.interval }} + interval: {{ .Values.gitea.metrics.serviceMonitor.interval }} + {{- end }} + {{- with .Values.gitea.metrics.serviceMonitor.relabelings }} + relabelings: + {{- . | toYaml | nindent 6 }} + {{- end }} + {{- if .Values.gitea.metrics.serviceMonitor.scheme }} + scheme: {{ .Values.gitea.metrics.serviceMonitor.scheme }} + {{- end }} + {{- if .Values.gitea.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.gitea.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- with .Values.gitea.metrics.serviceMonitor.tlsConfig }} + tlsConfig: + {{- . | toYaml | nindent 6 }} + {{- end }} + {{- if .Values.gitea.metrics.token }} + authorization: + type: Bearer + credentials: + name: {{ include "gitea.metrics-secret-name" . }} + key: token + optional: false + {{- end }} +{{- end -}} \ No newline at end of file diff --git a/charts/helm-gitea/templates/gitea/ssh-svc.yaml b/charts/helm-gitea/templates/gitea/ssh-svc.yaml new file mode 100644 index 0000000..b2046fe --- /dev/null +++ b/charts/helm-gitea/templates/gitea/ssh-svc.yaml @@ -0,0 +1,57 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gitea.fullname" . }}-ssh + namespace: {{ .Values.namespace | default .Release.Namespace }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + {{- if .Values.service.ssh.labels }} + {{- toYaml .Values.service.ssh.labels | nindent 4 }} + {{- end }} + annotations: + {{- toYaml .Values.service.ssh.annotations | nindent 4 }} +spec: + type: {{ .Values.service.ssh.type }} + {{- if eq .Values.service.ssh.type "LoadBalancer" }} + {{- if .Values.service.ssh.loadBalancerClass }} + loadBalancerClass: {{ .Values.service.ssh.loadBalancerClass }} + {{- end }} + {{- if .Values.service.ssh.loadBalancerIP }} + loadBalancerIP: {{ .Values.service.ssh.loadBalancerIP }} + {{- end -}} + {{- if .Values.service.ssh.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range .Values.service.ssh.loadBalancerSourceRanges }} + - {{ . }} + {{- end }} + {{- end }} + {{- end }} + {{- if and .Values.service.ssh.clusterIP (eq .Values.service.ssh.type "ClusterIP") }} + clusterIP: {{ .Values.service.ssh.clusterIP }} + {{- end }} + {{- if .Values.service.ssh.externalIPs }} + externalIPs: + {{- toYaml .Values.service.ssh.externalIPs | nindent 4 }} + {{- end }} + {{- if .Values.service.ssh.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.service.ssh.ipFamilyPolicy }} + {{- end }} + {{- with .Values.service.ssh.ipFamilies }} + ipFamilies: + {{- toYaml . | nindent 4 }} + {{- end -}} + {{- if .Values.service.ssh.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.service.ssh.externalTrafficPolicy }} + {{- end }} + ports: + - name: ssh + port: {{ .Values.service.ssh.port }} + {{- if .Values.gitea.config.server.SSH_LISTEN_PORT }} + targetPort: {{ .Values.gitea.config.server.SSH_LISTEN_PORT }} + {{- end }} + protocol: TCP + {{- if .Values.service.ssh.nodePort }} + nodePort: {{ .Values.service.ssh.nodePort }} + {{- end }} + selector: + {{- include "gitea.selectorLabels" . | nindent 4 }} diff --git a/charts/helm-gitea/templates/tests/test-http-connection.yaml b/charts/helm-gitea/templates/tests/test-http-connection.yaml new file mode 100644 index 0000000..da28ea6 --- /dev/null +++ b/charts/helm-gitea/templates/tests/test-http-connection.yaml @@ -0,0 +1,18 @@ +{{- if .Values.test.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "gitea.fullname" . }}-test-connection" + namespace: {{ .Values.namespace | default .Release.Namespace }} + labels: +{{ include "gitea.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test-success +spec: + containers: + - name: wget + image: "{{ .Values.test.image.name }}:{{ .Values.test.image.tag }}" + command: ['wget'] + args: ['{{ include "gitea.fullname" . }}-http:{{ .Values.service.http.port }}'] + restartPolicy: Never +{{- end }} diff --git a/charts/helm-gitea/unittests/bash/test_helper/common-setup.bash b/charts/helm-gitea/unittests/bash/test_helper/common-setup.bash new file mode 100644 index 0000000..187abf5 --- /dev/null +++ b/charts/helm-gitea/unittests/bash/test_helper/common-setup.bash @@ -0,0 +1,7 @@ +#!/usr/bin/env bash + +function common_setup() { + load "$TEST_ROOT/test_helper/bats-support/load" + load "$TEST_ROOT/test_helper/bats-assert/load" + load "$TEST_ROOT/test_helper/bats-mock/stub" +} diff --git a/charts/helm-gitea/unittests/bash/tests/init-containers/config/config_environment.bats b/charts/helm-gitea/unittests/bash/tests/init-containers/config/config_environment.bats new file mode 100644 index 0000000..62364a6 --- /dev/null +++ b/charts/helm-gitea/unittests/bash/tests/init-containers/config/config_environment.bats @@ -0,0 +1,204 @@ +#!/usr/bin/env bats + +function setup() { + PROJECT_ROOT="$(git rev-parse --show-toplevel)" + TEST_ROOT="$PROJECT_ROOT/unittests/bash" + load "$TEST_ROOT/test_helper/common-setup" + common_setup + + export GITEA_APP_INI="$BATS_TEST_TMPDIR/app.ini" + export TMP_EXISTING_ENVS_FILE="$BATS_TEST_TMPDIR/existing-envs" + export ENV_TO_INI_MOUNT_POINT="$BATS_TEST_TMPDIR/env-to-ini-mounts" + + stub gitea \ + "generate secret INTERNAL_TOKEN : echo 'mocked-internal-token'" \ + "generate secret SECRET_KEY : echo 'mocked-secret-key'" \ + "generate secret JWT_SECRET : echo 'mocked-jwt-secret'" \ + "generate secret LFS_JWT_SECRET : echo 'mocked-lfs-jwt-secret'" +} + +function teardown() { + unstub gitea + # This condition exists due to https://github.com/jasonkarns/bats-mock/pull/37 being still open + if [ $ENV_TO_INI_EXPECTED -eq 1 ]; then + unstub environment-to-ini + fi +} + +# This function exists due to https://github.com/jasonkarns/bats-mock/pull/37 being still open +function expect_environment_to_ini_call() { + export ENV_TO_INI_EXPECTED=1 + stub environment-to-ini \ + "-o $GITEA_APP_INI : echo 'Stubbed environment-to-ini was called!'" +} + +function execute_test_script() { + currentEnvsBefore=$(env | sort) + source $PROJECT_ROOT/scripts/init-containers/config/config_environment.sh + local exitCode=$? + currentEnvsAfter=$(env | sort) + + # diff as unified +/- output without context before/after + diff --unified=0 <(echo "$currentEnvsBefore") <(echo "$currentEnvsAfter") + + exit $exitCode +} + +function write_mounted_file() { + # either "inlines" or "additionals" + scope="${1}" + file="${2}" + content="${3}" + + mkdir -p "$ENV_TO_INI_MOUNT_POINT/$scope/..data/" + echo "${content}" > "$ENV_TO_INI_MOUNT_POINT/$scope/..data/$file" + ln -sf "$ENV_TO_INI_MOUNT_POINT/$scope/..data/$file" "$ENV_TO_INI_MOUNT_POINT/$scope/$file" +} + +@test "works as expected when nothing is configured" { + expect_environment_to_ini_call + run $PROJECT_ROOT/scripts/init-containers/config/config_environment.sh + + assert_success + assert_line '...Initial secrets generated' + assert_line 'Reloading preset envs...' + assert_line '=== All configuration sources loaded ===' + assert_line 'Stubbed environment-to-ini was called!' +} + +@test "exports initial secrets" { + expect_environment_to_ini_call + run execute_test_script + + assert_success + assert_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret' + assert_line '+GITEA__SECURITY__INTERNAL_TOKEN=mocked-internal-token' + assert_line '+GITEA__SECURITY__SECRET_KEY=mocked-secret-key' + assert_line '+GITEA__SERVER__LFS_JWT_SECRET=mocked-lfs-jwt-secret' +} + +@test "does NOT export initial secrets when app.ini already exists" { + expect_environment_to_ini_call + touch $GITEA_APP_INI + + run execute_test_script + + assert_success + assert_line --partial 'An app.ini file already exists.' + refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret' + refute_line '+GITEA__SECURITY__INTERNAL_TOKEN=mocked-internal-token' + refute_line '+GITEA__SECURITY__SECRET_KEY=mocked-secret-key' + refute_line '+GITEA__SERVER__LFS_JWT_SECRET=mocked-lfs-jwt-secret' +} + +@test "ensures that preset environment variables take precedence over auto-generated ones" { + expect_environment_to_ini_call + export GITEA__OAUTH2__JWT_SECRET="pre-defined-jwt-secret" + + run execute_test_script + + assert_success + refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret' +} + +@test "ensures that preset environment variables take precedence over mounted ones" { + expect_environment_to_ini_call + export GITEA__OAUTH2__JWT_SECRET="pre-defined-jwt-secret" + write_mounted_file "inlines" "oauth2" "$(cat << EOF +JWT_SECRET=inline-jwt-secret +EOF +)" + + run execute_test_script + + assert_success + refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret' + refute_line '+GITEA__OAUTH2__JWT_SECRET=inline-jwt-secret' +} + +@test "ensures that additionals take precedence over inlines" { + expect_environment_to_ini_call + write_mounted_file "inlines" "oauth2" "$(cat << EOF +JWT_SECRET=inline-jwt-secret +EOF +)" + write_mounted_file "additionals" "oauth2" "$(cat << EOF +JWT_SECRET=additional-jwt-secret +EOF +)" + + run execute_test_script + + assert_success + refute_line '+GITEA__OAUTH2__JWT_SECRET=mocked-jwt-secret' + refute_line '+GITEA__OAUTH2__JWT_SECRET=inline-jwt-secret' + assert_line '+GITEA__OAUTH2__JWT_SECRET=additional-jwt-secret' +} + +@test "ensures that dotted/dashed sections are properly masked" { + expect_environment_to_ini_call + write_mounted_file "inlines" "repository.pull-request" "$(cat << EOF +WORK_IN_PROGRESS_PREFIXES=WIP:,[WIP] +EOF +)" + + run execute_test_script + + assert_success + assert_line '+GITEA__REPOSITORY_0X2E_PULL_0X2D_REQUEST__WORK_IN_PROGRESS_PREFIXES=WIP:,[WIP]' +} + +############################################################### +##### THIS IS A BUG, BUT I WANT IT TO BE COVERED BY TESTS ##### +############################################################### +@test "ensures uppercase section and setting names (🐞)" { + expect_environment_to_ini_call + export GITEA__oauth2__JwT_Secret="pre-defined-jwt-secret" + write_mounted_file "inlines" "repository.pull-request" "$(cat << EOF +WORK_IN_progress_PREFIXES=WIP:,[WIP] +EOF +)" + + run execute_test_script + + assert_success + assert_line '+GITEA__REPOSITORY_0X2E_PULL_0X2D_REQUEST__WORK_IN_PROGRESS_PREFIXES=WIP:,[WIP]' + assert_line '+GITEA__OAUTH2__JWT_SECRET=pre-defined-jwt-secret' +} + +@test "treats top-level configuration as section-less" { + expect_environment_to_ini_call + write_mounted_file "inlines" "_generals_" "$(cat << EOF +APP_NAME=Hello top-level configuration +RUN_MODE=dev +EOF +)" + + run execute_test_script + + assert_success + assert_line '+GITEA____APP_NAME=Hello top-level configuration' + assert_line '+GITEA____RUN_MODE=dev' +} + +@test "fails on invalid setting" { + write_mounted_file "inlines" "_generals_" "$(cat << EOF +some random invalid string +EOF +)" + + run execute_test_script + + assert_failure +} + +@test "treats empty setting name as invalid setting" { + write_mounted_file "inlines" "_generals_" "$(cat << EOF +=value +EOF +)" + + run execute_test_script + + assert_failure +} diff --git a/charts/helm-gitea/unittests/helm/check-actions-not-present.yaml b/charts/helm-gitea/unittests/helm/check-actions-not-present.yaml new file mode 100644 index 0000000..b08b679 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/check-actions-not-present.yaml @@ -0,0 +1,12 @@ +suite: Check if actions raises an error +release: + name: gitea-unittests + namespace: testing +tests: + - it: fails when trying to configure actions due to removal + set: + actions: + enabled: true + asserts: + - failedTemplate: + errorMessage: The actions sub-chart has been outsourced to a dedicated chart available at https://gitea.com/gitea/helm-actions. For assistance with the migration process, check https://gitea.com/gitea/helm-actions/issues/9. diff --git a/charts/helm-gitea/unittests/helm/config/actions-config.yaml b/charts/helm-gitea/unittests/helm/config/actions-config.yaml new file mode 100644 index 0000000..0b55280 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/config/actions-config.yaml @@ -0,0 +1,24 @@ +suite: config template | actions config +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/config.yaml +tests: + - it: "actions are enabled by default (based on vanilla Gitea behavior)" + template: templates/gitea/config.yaml + asserts: + - documentIndex: 0 + notExists: + path: stringData.actions + + - it: "actions can be disabled via inline config" + template: templates/gitea/config.yaml + set: + gitea.config.actions.ENABLED: false + asserts: + - documentIndex: 0 + equal: + path: stringData.actions + value: |- + ENABLED=false diff --git a/charts/helm-gitea/unittests/helm/config/cache-config.yaml b/charts/helm-gitea/unittests/helm/config/cache-config.yaml new file mode 100644 index 0000000..45b2a5b --- /dev/null +++ b/charts/helm-gitea/unittests/helm/config/cache-config.yaml @@ -0,0 +1,66 @@ +suite: config template | cache config +release: + name: gitea-unittests + namespace: testing +tests: + - it: "cache is configured correctly for valkey-cluster" + template: templates/gitea/config.yaml + set: + valkey-cluster: + enabled: true + valkey: + enabled: false + asserts: + - documentIndex: 0 + equal: + path: stringData.cache + value: |- + ADAPTER=redis + HOST=redis+cluster://:@gitea-unittests-valkey-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s& + + - it: "cache is configured correctly for valkey" + template: templates/gitea/config.yaml + set: + valkey-cluster: + enabled: false + valkey: + enabled: true + asserts: + - documentIndex: 0 + equal: + path: stringData.cache + value: |- + ADAPTER=redis + HOST=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s& + + - it: "cache is configured correctly for 'memory' when valkey (or valkey-cluster) is disabled" + template: templates/gitea/config.yaml + set: + valkey-cluster: + enabled: false + valkey: + enabled: false + asserts: + - documentIndex: 0 + equal: + path: stringData.cache + value: |- + ADAPTER=memory + HOST= + + - it: "cache can be customized when valkey (or valkey-cluster) is disabled" + template: templates/gitea/config.yaml + set: + valkey-cluster: + enabled: false + valkey: + enabled: false + gitea.config.cache.ADAPTER: custom-adapter + gitea.config.cache.HOST: custom-host + asserts: + - documentIndex: 0 + equal: + path: stringData.cache + value: |- + ADAPTER=custom-adapter + HOST=custom-host diff --git a/charts/helm-gitea/unittests/helm/config/metrics-section_metrics-token.yaml b/charts/helm-gitea/unittests/helm/config/metrics-section_metrics-token.yaml new file mode 100644 index 0000000..b8115a1 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/config/metrics-section_metrics-token.yaml @@ -0,0 +1,58 @@ +suite: config template | metrics section (metrics token) +release: + name: gitea-unittests + namespace: testing +tests: + - it: metrics token is set + template: templates/gitea/config.yaml + set: + gitea: + metrics: + enabled: true + token: "somepassword" + asserts: + - documentIndex: 0 + equal: + path: stringData.metrics + value: |- + ENABLED=true + TOKEN=somepassword + - it: metrics token is empty + template: templates/gitea/config.yaml + set: + gitea: + metrics: + enabled: true + token: "" + asserts: + - documentIndex: 0 + equal: + path: stringData.metrics + value: |- + ENABLED=true + - it: metrics token is nil + template: templates/gitea/config.yaml + set: + gitea: + metrics: + enabled: true + token: + asserts: + - documentIndex: 0 + equal: + path: stringData.metrics + value: |- + ENABLED=true + - it: does not configures a token if metrics are disabled + template: templates/gitea/config.yaml + set: + gitea: + metrics: + enabled: false + token: "somepassword" + asserts: + - documentIndex: 0 + equal: + path: stringData.metrics + value: |- + ENABLED=false diff --git a/charts/helm-gitea/unittests/helm/config/queue-config.yaml b/charts/helm-gitea/unittests/helm/config/queue-config.yaml new file mode 100644 index 0000000..86793f9 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/config/queue-config.yaml @@ -0,0 +1,66 @@ +suite: config template | queue config +release: + name: gitea-unittests + namespace: testing +tests: + - it: "queue is configured correctly for valkey-cluster" + template: templates/gitea/config.yaml + set: + valkey-cluster: + enabled: true + valkey: + enabled: false + asserts: + - documentIndex: 0 + equal: + path: stringData.queue + value: |- + CONN_STR=redis+cluster://:@gitea-unittests-valkey-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s& + TYPE=redis + + - it: "queue is configured correctly for valkey" + template: templates/gitea/config.yaml + set: + valkey-cluster: + enabled: false + valkey: + enabled: true + asserts: + - documentIndex: 0 + equal: + path: stringData.queue + value: |- + CONN_STR=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s& + TYPE=redis + + - it: "queue is configured correctly for 'levelDB' when valkey (and valkey-cluster) is disabled" + template: templates/gitea/config.yaml + set: + valkey-cluster: + enabled: false + valkey: + enabled: false + asserts: + - documentIndex: 0 + equal: + path: stringData.queue + value: |- + CONN_STR= + TYPE=level + + - it: "queue can be customized when valkey (and valkey-cluster) are disabled" + template: templates/gitea/config.yaml + set: + valkey-cluster: + enabled: false + valkey: + enabled: false + gitea.config.queue.TYPE: custom-type + gitea.config.queue.CONN_STR: custom-connection-string + asserts: + - documentIndex: 0 + equal: + path: stringData.queue + value: |- + CONN_STR=custom-connection-string + TYPE=custom-type diff --git a/charts/helm-gitea/unittests/helm/config/server-section_domain.yaml b/charts/helm-gitea/unittests/helm/config/server-section_domain.yaml new file mode 100644 index 0000000..cf5a3b8 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/config/server-section_domain.yaml @@ -0,0 +1,67 @@ +suite: config template | server section (domain related) +release: + name: gitea-unittests + namespace: testing +tests: + - it: "[default values] uses ingress host for DOMAIN|SSH_DOMAIN|ROOT_URL" + template: templates/gitea/config.yaml + asserts: + - documentIndex: 0 + matchRegex: + path: stringData.server + pattern: \nDOMAIN=git.example.com + - documentIndex: 0 + matchRegex: + path: stringData.server + pattern: \nSSH_DOMAIN=git.example.com + - documentIndex: 0 + matchRegex: + path: stringData.server + pattern: \nROOT_URL=http://git.example.com + + ################################################ + + - it: "[no ingress hosts] uses gitea http service for DOMAIN|SSH_DOMAIN|ROOT_URL" + template: templates/gitea/config.yaml + set: + ingress: + hosts: [] + asserts: + - documentIndex: 0 + matchRegex: + path: stringData.server + pattern: \nDOMAIN=gitea-unittests-http.testing.svc.cluster.local + - documentIndex: 0 + matchRegex: + path: stringData.server + pattern: \nSSH_DOMAIN=gitea-unittests-http.testing.svc.cluster.local + - documentIndex: 0 + matchRegex: + path: stringData.server + pattern: \nROOT_URL=http://gitea-unittests-http.testing.svc.cluster.local + + ################################################ + + - it: "[provided via values] uses that for DOMAIN|SSH_DOMAIN|ROOT_URL" + template: templates/gitea/config.yaml + set: + gitea.config.server.DOMAIN: provided.example.com + ingress: + hosts: + - host: non-used.example.com + paths: + - path: / + pathType: Prefix + asserts: + - documentIndex: 0 + matchRegex: + path: stringData.server + pattern: \nDOMAIN=provided.example.com + - documentIndex: 0 + matchRegex: + path: stringData.server + pattern: \nSSH_DOMAIN=provided.example.com + - documentIndex: 0 + matchRegex: + path: stringData.server + pattern: \nROOT_URL=http://provided.example.com diff --git a/charts/helm-gitea/unittests/helm/config/session-config.yaml b/charts/helm-gitea/unittests/helm/config/session-config.yaml new file mode 100644 index 0000000..9c50c61 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/config/session-config.yaml @@ -0,0 +1,66 @@ +suite: config template | session config +release: + name: gitea-unittests + namespace: testing +tests: + - it: "session is configured correctly for valkey-cluster" + template: templates/gitea/config.yaml + set: + valkey-cluster: + enabled: true + valkey: + enabled: false + asserts: + - documentIndex: 0 + equal: + path: stringData.session + value: |- + PROVIDER=redis + PROVIDER_CONFIG=redis+cluster://:@gitea-unittests-valkey-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s& + + - it: "session is configured correctly for valkey" + template: templates/gitea/config.yaml + set: + valkey-cluster: + enabled: false + valkey: + enabled: true + asserts: + - documentIndex: 0 + equal: + path: stringData.session + value: |- + PROVIDER=redis + PROVIDER_CONFIG=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s& + + - it: "session is configured correctly for 'memory' when valkey (and valkey-cluster) is disabled" + template: templates/gitea/config.yaml + set: + valkey-cluster: + enabled: false + valkey: + enabled: false + asserts: + - documentIndex: 0 + equal: + path: stringData.session + value: |- + PROVIDER=memory + PROVIDER_CONFIG= + + - it: "session can be customized when valkey (and valkey-cluster) is disabled" + template: templates/gitea/config.yaml + set: + valkey-cluster: + enabled: false + valkey: + enabled: false + gitea.config.session.PROVIDER: custom-provider + gitea.config.session.PROVIDER_CONFIG: custom-provider-config + asserts: + - documentIndex: 0 + equal: + path: stringData.session + value: |- + PROVIDER=custom-provider + PROVIDER_CONFIG=custom-provider-config diff --git a/charts/helm-gitea/unittests/helm/dependency-checks/customization-integrity-postgresql-ha.yaml b/charts/helm-gitea/unittests/helm/dependency-checks/customization-integrity-postgresql-ha.yaml new file mode 100644 index 0000000..efef6ef --- /dev/null +++ b/charts/helm-gitea/unittests/helm/dependency-checks/customization-integrity-postgresql-ha.yaml @@ -0,0 +1,121 @@ +suite: Dependency checks | Customization integrity | postgresql-ha +release: + name: gitea-unittests + namespace: testing +set: + postgresql: + enabled: false + postgresql-ha: + enabled: true + global: + postgresql: + database: gitea-database + password: gitea-password + username: gitea-username + postgresql: + repmgrPassword: custom-password-repmgr + postgresPassword: custom-password-postgres + password: custom-password-overwritten-by-global-postgresql-password + pgpool: + adminPassword: custom-password-pgpool + service: + ports: + postgresql: 1234 + persistence: + size: 1337Mi +tests: + - it: "[postgresql-ha] DB settings are applied as expected" + template: charts/postgresql-ha/templates/postgresql/statefulset.yaml + asserts: + - documentIndex: 0 + contains: + path: spec.template.spec.containers[0].env + content: + name: POSTGRES_DB + value: "gitea-database" + - documentIndex: 0 + contains: + path: spec.template.spec.containers[0].env + content: + name: POSTGRES_USER + value: "gitea-username" + - it: "[postgresql-ha] DB passwords are applied as expected" + template: charts/postgresql-ha/templates/postgresql/secrets.yaml + asserts: + - documentIndex: 0 + equal: + path: data["repmgr-password"] + value: "Y3VzdG9tLXBhc3N3b3JkLXJlcG1ncg==" + - documentIndex: 0 + equal: + path: data["postgres-password"] + value: "Y3VzdG9tLXBhc3N3b3JkLXBvc3RncmVz" + - documentIndex: 0 + equal: + path: data["password"] + value: "Z2l0ZWEtcGFzc3dvcmQ=" # postgresql-ha.postgresql.password is overwritten by postgresql-ha.global.postgresql.password and should not be referenced here + - it: "[postgresql-ha] pgpool.adminPassword is applied as expected" + template: charts/postgresql-ha/templates/pgpool/secrets.yaml + asserts: + - documentIndex: 0 + equal: + path: data["admin-password"] + value: "Y3VzdG9tLXBhc3N3b3JkLXBncG9vbA==" + - it: "[postgresql-ha] pgpool.adminPassword is applied as expected" + template: charts/postgresql-ha/templates/pgpool/secrets.yaml + asserts: + - documentIndex: 0 + equal: + path: data["admin-password"] + value: "Y3VzdG9tLXBhc3N3b3JkLXBncG9vbA==" + - it: "[postgresql-ha] pgpool.adminPassword is applied as expected" + template: charts/postgresql-ha/templates/pgpool/secrets.yaml + asserts: + - documentIndex: 0 + equal: + path: data["admin-password"] + value: "Y3VzdG9tLXBhc3N3b3JkLXBncG9vbA==" + - it: "[postgresql-ha] persistence.size is applied as expected" + template: charts/postgresql-ha/templates/postgresql/statefulset.yaml + asserts: + - documentIndex: 0 + equal: + path: spec.volumeClaimTemplates[0].spec.resources.requests.storage + value: "1337Mi" + - it: "[postgresql-ha] service.ports.postgresql is applied as expected" + template: charts/postgresql-ha/templates/pgpool/service.yaml + asserts: + - documentIndex: 0 + equal: + path: spec.ports[0].port + value: 1234 + - it: "[postgresql-ha] renders the referenced service" + template: charts/postgresql-ha/templates/pgpool/service.yaml + asserts: + - containsDocument: + kind: Service + apiVersion: v1 + name: gitea-unittests-postgresql-ha-pgpool + namespace: testing + - it: "[gitea] connects to pgpool service" + template: templates/gitea/config.yaml + asserts: + - documentIndex: 0 + matchRegex: + path: stringData.database + pattern: HOST=gitea-unittests-postgresql-ha-pgpool.testing.svc.cluster.local:1234 + - it: "[gitea] connects to configured database" + template: templates/gitea/config.yaml + asserts: + - documentIndex: 0 + matchRegex: + path: stringData.database + pattern: NAME=gitea-database + - documentIndex: 0 + matchRegex: + path: stringData.database + pattern: USER=gitea-username + - documentIndex: 0 + matchRegex: + path: stringData.database + pattern: PASSWD=gitea-password diff --git a/charts/helm-gitea/unittests/helm/dependency-checks/customization-integrity-postgresql.yaml b/charts/helm-gitea/unittests/helm/dependency-checks/customization-integrity-postgresql.yaml new file mode 100644 index 0000000..a84ddc3 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/dependency-checks/customization-integrity-postgresql.yaml @@ -0,0 +1,88 @@ +suite: Dependency checks | Customization integrity | postgresql +release: + name: gitea-unittests + namespace: testing +set: + postgresql-ha: + enabled: false + postgresql: + enabled: true + global: + postgresql: + auth: + password: gitea-password + database: gitea-database + username: gitea-username + service: + ports: + postgresql: 1234 + primary: + persistence: + size: 1337Mi +tests: + - it: "[postgresql] DB settings are applied as expected" + template: charts/postgresql/templates/primary/statefulset.yaml + asserts: + - documentIndex: 0 + contains: + path: spec.template.spec.containers[0].env + content: + name: POSTGRES_DATABASE + value: "gitea-database" + - documentIndex: 0 + contains: + path: spec.template.spec.containers[0].env + content: + name: POSTGRES_USER + value: "gitea-username" + - it: "[postgresql] DB password is applied as expected" + template: charts/postgresql/templates/secrets.yaml + asserts: + - documentIndex: 0 + equal: + path: data["password"] + value: "Z2l0ZWEtcGFzc3dvcmQ=" + - it: "[postgresql] primary.persistence.size is applied as expected" + template: charts/postgresql/templates/primary/statefulset.yaml + asserts: + - documentIndex: 0 + equal: + path: spec.volumeClaimTemplates[0].spec.resources.requests.storage + value: "1337Mi" + - it: "[postgresql] global.postgresql.service.ports.postgresql is applied as expected" + template: charts/postgresql/templates/primary/svc.yaml + asserts: + - documentIndex: 0 + equal: + path: spec.ports[0].port + value: 1234 + - it: "[postgresql] renders the referenced service" + template: charts/postgresql/templates/primary/svc.yaml + asserts: + - containsDocument: + kind: Service + apiVersion: v1 + name: gitea-unittests-postgresql + namespace: testing + - it: "[gitea] connects to postgresql service" + template: templates/gitea/config.yaml + asserts: + - documentIndex: 0 + matchRegex: + path: stringData.database + pattern: HOST=gitea-unittests-postgresql.testing.svc.cluster.local:1234 + - it: "[gitea] connects to configured database" + template: templates/gitea/config.yaml + asserts: + - documentIndex: 0 + matchRegex: + path: stringData.database + pattern: NAME=gitea-database + - documentIndex: 0 + matchRegex: + path: stringData.database + pattern: USER=gitea-username + - documentIndex: 0 + matchRegex: + path: stringData.database + pattern: PASSWD=gitea-password diff --git a/charts/helm-gitea/unittests/helm/dependency-checks/customization-integrity-valkey-cluster.yaml b/charts/helm-gitea/unittests/helm/dependency-checks/customization-integrity-valkey-cluster.yaml new file mode 100644 index 0000000..6243a41 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/dependency-checks/customization-integrity-valkey-cluster.yaml @@ -0,0 +1,90 @@ +suite: Dependency checks | Customization integrity | valkey-cluster +release: + name: gitea-unittests + namespace: testing +set: + valkey: + enabled: false + valkey-cluster: + enabled: true + usePassword: false + cluster: + nodes: 5 + replicas: 2 +tests: + - it: "[valkey-cluster] configures correct nodes/replicas" + template: charts/valkey-cluster/templates/valkey-statefulset.yaml + asserts: + - documentIndex: 0 + equal: + path: spec.replicas + value: 5 + - documentIndex: 0 + matchRegex: + path: spec.template.spec.containers[0].args[0] + pattern: VALKEY_CLUSTER_REPLICAS="2" + - it: "[valkey-cluster] support auth-less connections" + asserts: + - template: charts/valkey-cluster/templates/secret.yaml + hasDocuments: + count: 0 + - template: charts/valkey-cluster/templates/valkey-statefulset.yaml + documentIndex: 0 + contains: + path: spec.template.spec.containers[0].env + content: + name: ALLOW_EMPTY_PASSWORD + value: "yes" + - it: "[valkey-cluster] support auth-full connections" + set: + valkey-cluster: + usePassword: true + asserts: + - template: charts/valkey-cluster/templates/secret.yaml + containsDocument: + kind: Secret + apiVersion: v1 + name: gitea-unittests-valkey-cluster + namespace: testing + - template: charts/valkey-cluster/templates/valkey-statefulset.yaml + documentIndex: 0 + contains: + path: spec.template.spec.containers[0].env + content: + name: REDISCLI_AUTH + valueFrom: + secretKeyRef: + name: gitea-unittests-valkey-cluster + key: valkey-password + - template: charts/valkey-cluster/templates/valkey-statefulset.yaml + documentIndex: 0 + contains: + path: spec.template.spec.containers[0].env + content: + name: REDISCLI_AUTH + valueFrom: + secretKeyRef: + name: gitea-unittests-valkey-cluster + key: valkey-password + - it: "[valkey-cluster] renders the referenced service" + template: charts/valkey-cluster/templates/headless-svc.yaml + asserts: + - containsDocument: + kind: Service + apiVersion: v1 + name: gitea-unittests-valkey-cluster-headless + namespace: testing + - documentIndex: 0 + contains: + path: spec.ports + content: + name: tcp-redis + port: 6379 + targetPort: tcp-redis + - it: "[gitea] waits for valkey-cluster to be up and running" + template: templates/gitea/init.yaml + asserts: + - documentIndex: 0 + matchRegex: + path: stringData["configure_gitea.sh"] + pattern: nc -vz -w2 gitea-unittests-valkey-cluster-headless.testing.svc.cluster.local 6379 diff --git a/charts/helm-gitea/unittests/helm/dependency-checks/customization-integrity-valkey.yaml b/charts/helm-gitea/unittests/helm/dependency-checks/customization-integrity-valkey.yaml new file mode 100644 index 0000000..40c0fc0 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/dependency-checks/customization-integrity-valkey.yaml @@ -0,0 +1,52 @@ +suite: Dependency checks | Customization integrity | valkey +release: + name: gitea-unittests + namespace: testing +set: + valkey-cluster: + enabled: false + valkey: + enabled: true + architecture: standalone + global: + valkey: + password: gitea-password + master: + count: 2 +tests: + - it: "[valkey] configures correct 'master' nodes" + template: charts/valkey/templates/primary/application.yaml + asserts: + - documentIndex: 0 + equal: + path: spec.replicas + value: 1 + - it: "[valkey] valkey.global.valkey.password is applied as expected" + template: charts/valkey/templates/secret.yaml + asserts: + - documentIndex: 0 + equal: + path: data["valkey-password"] + value: "Z2l0ZWEtcGFzc3dvcmQ=" + - it: "[valkey] renders the referenced service" + template: charts/valkey/templates/headless-svc.yaml + asserts: + - containsDocument: + kind: Service + apiVersion: v1 + name: gitea-unittests-valkey-headless + namespace: testing + - documentIndex: 0 + contains: + path: spec.ports + content: + name: tcp-redis + port: 6379 + targetPort: redis + - it: "[gitea] waits for valkey to be up and running" + template: templates/gitea/init.yaml + asserts: + - documentIndex: 0 + matchRegex: + path: stringData["configure_gitea.sh"] + pattern: nc -vz -w2 gitea-unittests-valkey-headless.testing.svc.cluster.local 6379 diff --git a/charts/helm-gitea/unittests/helm/dependency-checks/major-image-bump.yaml b/charts/helm-gitea/unittests/helm/dependency-checks/major-image-bump.yaml new file mode 100644 index 0000000..ab4089f --- /dev/null +++ b/charts/helm-gitea/unittests/helm/dependency-checks/major-image-bump.yaml @@ -0,0 +1,57 @@ +suite: Dependency checks | Major image bumps +release: + name: gitea-unittests + namespace: testing +tests: + - it: "[postgresql-ha] ensures we detect major image version upgrades" + template: charts/postgresql-ha/templates/postgresql/statefulset.yaml + set: + postgresql: + enabled: false + postgresql-ha: + enabled: true + asserts: + - documentIndex: 0 + matchRegex: + path: spec.template.spec.containers[0].image + # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST + pattern: bitnami/postgresql-repmgr:17.+$ + - it: "[postgresql] ensures we detect major image version upgrades" + template: charts/postgresql/templates/primary/statefulset.yaml + set: + postgresql: + enabled: true + postgresql-ha: + enabled: false + asserts: + - documentIndex: 0 + matchRegex: + path: spec.template.spec.containers[0].image + # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST + pattern: bitnami/postgresql:17.+$ + - it: "[valkey-cluster] ensures we detect major image version upgrades" + template: charts/valkey-cluster/templates/valkey-statefulset.yaml + set: + valkey-cluster: + enabled: true + valkey: + enabled: false + asserts: + - documentIndex: 0 + matchRegex: + path: spec.template.spec.containers[0].image + # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST + pattern: bitnami/valkey-cluster:8.+$ + - it: "[valkey] ensures we detect major image version upgrades" + template: charts/valkey/templates/primary/application.yaml + set: + valkey-cluster: + enabled: false + valkey: + enabled: true + asserts: + - documentIndex: 0 + matchRegex: + path: spec.template.spec.containers[0].image + # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST + pattern: bitnami/valkey:8.+$ diff --git a/charts/helm-gitea/unittests/helm/deployment/HA.yaml b/charts/helm-gitea/unittests/helm/deployment/HA.yaml new file mode 100644 index 0000000..3828809 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/deployment/HA.yaml @@ -0,0 +1,59 @@ +suite: deployment template (HA) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/deployment.yaml + - templates/gitea/config.yaml +tests: + - it: fails with multiple replicas and "GIT_GC_REPOS" enabled + template: templates/gitea/deployment.yaml + set: + replicaCount: 2 + persistence: + accessModes: + - ReadWriteMany + gitea: + config: + cron: + GIT_GC_REPOS: + ENABLED: true + asserts: + - failedTemplate: + errorMessage: "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'gitea.config.cron.GIT_GC_REPOS.enabled = false'." + - it: fails with multiple replicas and RWX file system not set + template: templates/gitea/deployment.yaml + set: + replicaCount: 2 + asserts: + - failedTemplate: + errorMessage: "When using multiple replicas, a RWX file system is required and persistence.accessModes[0] must be set to ReadWriteMany." + - it: fails with multiple replicas and bleve issue indexer + template: templates/gitea/deployment.yaml + set: + replicaCount: 2 + persistence: + accessModes: + - ReadWriteMany + gitea: + config: + indexer: + ISSUE_INDEXER_TYPE: bleve + asserts: + - failedTemplate: + errorMessage: "When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)." + - it: fails with multiple replicas and bleve repo indexer + template: templates/gitea/deployment.yaml + set: + replicaCount: 2 + persistence: + accessModes: + - ReadWriteMany + gitea: + config: + indexer: + REPO_INDEXER_TYPE: bleve + REPO_INDEXER_ENABLED: true + asserts: + - failedTemplate: + errorMessage: "When using multiple replicas, the repo indexer (gitea.config.indexer.REPO_INDEXER_TYPE) must be set to 'meilisearch' or 'elasticsearch' or disabled." diff --git a/charts/helm-gitea/unittests/helm/deployment/basic.yaml b/charts/helm-gitea/unittests/helm/deployment/basic.yaml new file mode 100644 index 0000000..bc77ed7 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/deployment/basic.yaml @@ -0,0 +1,95 @@ +suite: deployment template (basic) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/deployment.yaml + - templates/gitea/config.yaml +tests: + - it: renders a deployment + template: templates/gitea/deployment.yaml + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: Deployment + apiVersion: apps/v1 + name: gitea-unittests + - it: deployment labels are set + template: templates/gitea/deployment.yaml + set: + deployment.labels: + hello: world + asserts: + - isSubset: + path: metadata.labels + content: + hello: world + - isSubset: + path: spec.template.metadata.labels + content: + hello: world + - it: "injects TMP_EXISTING_ENVS_FILE as environment variable to 'init-app-ini' init container" + template: templates/gitea/deployment.yaml + asserts: + - contains: + path: spec.template.spec.initContainers[1].env + content: + name: TMP_EXISTING_ENVS_FILE + value: /tmp/existing-envs + - it: "injects ENV_TO_INI_MOUNT_POINT as environment variable to 'init-app-ini' init container" + template: templates/gitea/deployment.yaml + asserts: + - contains: + path: spec.template.spec.initContainers[1].env + content: + name: ENV_TO_INI_MOUNT_POINT + value: /env-to-ini-mounts + - it: CPU resources are defined as well as GOMAXPROCS + template: templates/gitea/deployment.yaml + set: + resources: + limits: + cpu: 200ms + memory: 200Mi + requests: + cpu: 100ms + memory: 100Mi + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: GOMAXPROCS + valueFrom: + resourceFieldRef: + divisor: "1" + resource: limits.cpu + - equal: + path: spec.template.spec.containers[0].resources + value: + limits: + cpu: 200ms + memory: 200Mi + requests: + cpu: 100ms + memory: 100Mi + - it: Init containers have correct volumeMount path + template: templates/gitea/deployment.yaml + set: + initContainersScriptsVolumeMountPath: "/custom/init/path" + asserts: + - equal: + path: spec.template.spec.initContainers[*].volumeMounts[?(@.name=="init")].mountPath + value: "/custom/init/path" + - equal: + path: spec.template.spec.initContainers[*].volumeMounts[?(@.name=="config")].mountPath + value: "/custom/init/path" + - it: Init containers have correct volumeMount path if there is no override + template: templates/gitea/deployment.yaml + asserts: + - equal: + path: spec.template.spec.initContainers[*].volumeMounts[?(@.name=="init")].mountPath + value: "/usr/sbinx" + - equal: + path: spec.template.spec.initContainers[*].volumeMounts[?(@.name=="config")].mountPath + value: "/usr/sbinx" diff --git a/charts/helm-gitea/unittests/helm/deployment/deployment-additional-config.yaml b/charts/helm-gitea/unittests/helm/deployment/deployment-additional-config.yaml new file mode 100644 index 0000000..fdcf056 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/deployment/deployment-additional-config.yaml @@ -0,0 +1,150 @@ +suite: deployment template +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/deployment.yaml + - templates/gitea/config.yaml +tests: + - it: Renders a deployment + template: templates/gitea/deployment.yaml + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: Deployment + apiVersion: apps/v1 + name: gitea-unittests + - it: Deployment with empty additionalConfigFromEnvs + template: templates/gitea/deployment.yaml + set: + gitea.additionalConfigFromEnvs: [] + asserts: + - hasDocuments: + count: 1 + - exists: + path: spec.template.spec.initContainers[1].env + - lengthEqual: + path: spec.template.spec.initContainers[1].env + count: 6 + - isSubset: + path: spec.template.spec.initContainers[1] + content: + env: + - name: GITEA_APP_INI + value: /data/gitea/conf/app.ini + - name: GITEA_CUSTOM + value: /data/gitea + - name: GITEA_WORK_DIR + value: /data + - name: GITEA_TEMP + value: /tmp/gitea + - name: TMP_EXISTING_ENVS_FILE + value: /tmp/existing-envs + - name: ENV_TO_INI_MOUNT_POINT + value: /env-to-ini-mounts + - it: Deployment with standard additionalConfigFromEnvs + template: templates/gitea/deployment.yaml + set: + gitea.additionalConfigFromEnvs: [{name: GITEA_database_HOST, value: my-db:123}, {name: GITEA_database_USER, value: my-user}] + asserts: + - hasDocuments: + count: 1 + - exists: + path: spec.template.spec.initContainers[1].env + - lengthEqual: + path: spec.template.spec.initContainers[1].env + count: 8 + - isSubset: + path: spec.template.spec.initContainers[1] + content: + env: + - name: GITEA_APP_INI + value: /data/gitea/conf/app.ini + - name: GITEA_CUSTOM + value: /data/gitea + - name: GITEA_WORK_DIR + value: /data + - name: GITEA_TEMP + value: /tmp/gitea + - name: TMP_EXISTING_ENVS_FILE + value: /tmp/existing-envs + - name: ENV_TO_INI_MOUNT_POINT + value: /env-to-ini-mounts + - name: GITEA_database_HOST + value: my-db:123 + - name: GITEA_database_USER + value: my-user + - it: Deployment with templated additionalConfigFromEnvs + template: templates/gitea/deployment.yaml + set: + gitea.misc.host: my-db-host:321 + gitea.misc.user: my-db-user + gitea.additionalConfigFromEnvs: [{name: GITEA_database_HOST, value: "{{ .Values.gitea.misc.host }}"}, {name: GITEA_database_USER, value: "{{ .Values.gitea.misc.user }}"}] + asserts: + - hasDocuments: + count: 1 + - exists: + path: spec.template.spec.initContainers[1].env + - lengthEqual: + path: spec.template.spec.initContainers[1].env + count: 8 + - isSubset: + path: spec.template.spec.initContainers[1] + content: + env: + - name: GITEA_APP_INI + value: /data/gitea/conf/app.ini + - name: GITEA_CUSTOM + value: /data/gitea + - name: GITEA_WORK_DIR + value: /data + - name: GITEA_TEMP + value: /tmp/gitea + - name: TMP_EXISTING_ENVS_FILE + value: /tmp/existing-envs + - name: ENV_TO_INI_MOUNT_POINT + value: /env-to-ini-mounts + - name: GITEA_database_HOST + value: my-db-host:321 + - name: GITEA_database_USER + value: my-db-user + - it: Deployment with additionalConfigFromEnvs templated secret name + template: templates/gitea/deployment.yaml + set: + gitea.misc.existingSecret: my-db-secret + gitea.additionalConfigFromEnvs[0]: + name: GITEA_database_HOST + valueFrom: + secretKeyRef: + name: "{{ .Values.gitea.misc.existingSecret }}" + key: password + asserts: + - hasDocuments: + count: 1 + - exists: + path: spec.template.spec.initContainers[1].env + - lengthEqual: + path: spec.template.spec.initContainers[1].env + count: 7 + - isSubset: + path: spec.template.spec.initContainers[1] + content: + env: + - name: GITEA_APP_INI + value: /data/gitea/conf/app.ini + - name: GITEA_CUSTOM + value: /data/gitea + - name: GITEA_WORK_DIR + value: /data + - name: GITEA_TEMP + value: /tmp/gitea + - name: TMP_EXISTING_ENVS_FILE + value: /tmp/existing-envs + - name: ENV_TO_INI_MOUNT_POINT + value: /env-to-ini-mounts + - name: GITEA_database_HOST + valueFrom: + secretKeyRef: + name: "my-db-secret" + key: password diff --git a/charts/helm-gitea/unittests/helm/deployment/image-configuration.yaml b/charts/helm-gitea/unittests/helm/deployment/image-configuration.yaml new file mode 100644 index 0000000..4a09a26 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/deployment/image-configuration.yaml @@ -0,0 +1,110 @@ +suite: deployment template (image configuration) +release: + name: gitea-unittests + namespace: testing +chart: + # Override appVersion to be consistent with used digest :) + appVersion: 1.19.3 +templates: + - templates/gitea/deployment.yaml + - templates/gitea/config.yaml +tests: + - it: default values + template: templates/gitea/deployment.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: "docker.gitea.com/gitea:1.19.3-rootless" + - it: tag override + template: templates/gitea/deployment.yaml + set: + image.tag: "1.19.4" + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: "docker.gitea.com/gitea:1.19.4-rootless" + - it: root-based image + template: templates/gitea/deployment.yaml + set: + image.rootless: false + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: "docker.gitea.com/gitea:1.19.3" + - it: scoped registry + template: templates/gitea/deployment.yaml + set: + image.registry: "example.com" + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: "example.com/gitea:1.19.3-rootless" + - it: global registry + template: templates/gitea/deployment.yaml + set: + global.imageRegistry: "global.example.com" + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: "global.example.com/gitea:1.19.3-rootless" + - it: digest for rootless image + template: templates/gitea/deployment.yaml + set: + image: + rootless: true + digest: sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: "docker.gitea.com/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a" + - it: image fullOverride (does not append rootless) + template: templates/gitea/deployment.yaml + set: + image: + fullOverride: docker.gitea.com/gitea:1.19.3 + # setting rootless, registry, repository, tag, and digest to prove that override works + rootless: true + registry: example.com + repository: example/image + tag: "1.0.0" + digest: sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: "docker.gitea.com/gitea:1.19.3" + - it: digest for root-based image + template: templates/gitea/deployment.yaml + set: + image: + rootless: false + digest: sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: "docker.gitea.com/gitea:1.19.3@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a" + - it: digest and global registry + template: templates/gitea/deployment.yaml + set: + global.imageRegistry: "global.example.com" + image.digest: "sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a" + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: "global.example.com/gitea:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a" + - it: correctly renders floating tag references + template: templates/gitea/deployment.yaml + set: + image.tag: 1.21 # use non-quoted value on purpose. See: https://gitea.com/gitea/helm-gitea/issues/631 + asserts: + - equal: + path: spec.template.spec.initContainers[0].image + value: "docker.gitea.com/gitea:1.21-rootless" + - equal: + path: spec.template.spec.initContainers[1].image + value: "docker.gitea.com/gitea:1.21-rootless" + - equal: + path: spec.template.spec.initContainers[2].image + value: "docker.gitea.com/gitea:1.21-rootless" + - equal: + path: spec.template.spec.containers[0].image + value: "docker.gitea.com/gitea:1.21-rootless" diff --git a/charts/helm-gitea/unittests/helm/deployment/ingress-configuration.yaml b/charts/helm-gitea/unittests/helm/deployment/ingress-configuration.yaml new file mode 100644 index 0000000..5136c1c --- /dev/null +++ b/charts/helm-gitea/unittests/helm/deployment/ingress-configuration.yaml @@ -0,0 +1,45 @@ +suite: Test ingress tpl use +templates: + - templates/gitea/ingress.yaml +tests: + - it: Ingress Class using TPL + set: + global.ingress.className: "ingress-class" + ingress.className: "{{ .Values.global.ingress.className }}" + ingress.enabled: true + ingress.hosts[0].host: "some-host" + ingress.tls: + - secretName: gitea-tls + hosts: + - "some-host" + asserts: + - isKind: + of: Ingress + - equal: + path: spec.tls[0].hosts[0] + value: "some-host" + - equal: + path: spec.rules[0].host + value: "some-host" + - equal: + path: spec.ingressClassName + value: "ingress-class" + + - it: hostname using TPL + set: + global.giteaHostName: "gitea.example.com" + ingress.enabled: true + ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}" + ingress.tls: + - secretName: gitea-tls + hosts: + - "{{ .Values.global.giteaHostName }}" + asserts: + - isKind: + of: Ingress + - equal: + path: spec.tls[0].hosts[0] + value: "gitea.example.com" + - equal: + path: spec.rules[0].host + value: "gitea.example.com" diff --git a/charts/helm-gitea/unittests/helm/deployment/inline-config.yaml b/charts/helm-gitea/unittests/helm/deployment/inline-config.yaml new file mode 100644 index 0000000..545bb36 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/deployment/inline-config.yaml @@ -0,0 +1,33 @@ +suite: config template +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/config.yaml +tests: + - it: inline config stringData.server using TPL + set: + global.giteaHostName: "gitea.example.com" + ingress.enabled: true + ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}" + ingress.tls: + - secretName: gitea-tls + hosts: + - "{{ .Values.global.giteaHostName }}" + asserts: + - documentIndex: 0 + matchRegex: + path: metadata.name + pattern: .*-inline-config$ + - documentIndex: 0 + matchRegex: + path: stringData.server + pattern: DOMAIN=gitea\.example\.com + - documentIndex: 0 + matchRegex: + path: stringData.server + pattern: ROOT_URL=https://gitea\.example\.com + - documentIndex: 0 + matchRegex: + path: stringData.server + pattern: SSH_DOMAIN=gitea\.example\.com diff --git a/charts/helm-gitea/unittests/helm/deployment/probes.yaml b/charts/helm-gitea/unittests/helm/deployment/probes.yaml new file mode 100644 index 0000000..259f3bf --- /dev/null +++ b/charts/helm-gitea/unittests/helm/deployment/probes.yaml @@ -0,0 +1,188 @@ +suite: deployment template (probes) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/deployment.yaml + - templates/gitea/config.yaml +tests: + - it: renders default liveness probe + template: templates/gitea/deployment.yaml + asserts: + - notExists: + path: spec.template.spec.containers[0].livenessProbe.enabled + - isSubset: + path: spec.template.spec.containers[0].livenessProbe + content: + failureThreshold: 10 + initialDelaySeconds: 200 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: http + timeoutSeconds: 1 + - it: renders default readiness probe + template: templates/gitea/deployment.yaml + asserts: + - notExists: + path: spec.template.spec.containers[0].readinessProbe.enabled + - isSubset: + path: spec.template.spec.containers[0].readinessProbe + content: + failureThreshold: 3 + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: http + timeoutSeconds: 1 + - it: does not render a default startup probe + template: templates/gitea/deployment.yaml + asserts: + - notExists: + path: spec.template.spec.containers[0].startupProbe + - it: allows enabling a startup probe + template: templates/gitea/deployment.yaml + set: + gitea.startupProbe.enabled: true + asserts: + - notExists: + path: spec.template.spec.containers[0].startupProbe.enabled + - isSubset: + path: spec.template.spec.containers[0].startupProbe + content: + failureThreshold: 10 + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: http + timeoutSeconds: 1 + + - it: allows overwriting the default port of the liveness probe + template: templates/gitea/deployment.yaml + set: + gitea: + livenessProbe: + tcpSocket: + port: my-port + asserts: + - isSubset: + path: spec.template.spec.containers[0].livenessProbe + content: + tcpSocket: + port: my-port + + - it: allows overwriting the default port of the readiness probe + template: templates/gitea/deployment.yaml + set: + gitea: + readinessProbe: + tcpSocket: + port: my-port + asserts: + - isSubset: + path: spec.template.spec.containers[0].readinessProbe + content: + tcpSocket: + port: my-port + + - it: allows overwriting the default port of the startup probe + template: templates/gitea/deployment.yaml + set: + gitea: + startupProbe: + enabled: true + tcpSocket: + port: my-port + asserts: + - isSubset: + path: spec.template.spec.containers[0].startupProbe + content: + tcpSocket: + port: my-port + + - it: allows using a non-default method as liveness probe + template: templates/gitea/deployment.yaml + set: + gitea: + livenessProbe: + httpGet: + path: /api/healthz + port: http + initialDelaySeconds: 13371 + timeoutSeconds: 13372 + periodSeconds: 13373 + successThreshold: 13374 + failureThreshold: 13375 + asserts: + - notExists: + path: spec.template.spec.containers[0].livenessProbe.tcpSocket + - isSubset: + path: spec.template.spec.containers[0].livenessProbe + content: + failureThreshold: 13375 + initialDelaySeconds: 13371 + periodSeconds: 13373 + successThreshold: 13374 + httpGet: + path: /api/healthz + port: http + timeoutSeconds: 13372 + + - it: allows using a non-default method as readiness probe + template: templates/gitea/deployment.yaml + set: + gitea: + readinessProbe: + httpGet: + path: /api/healthz + port: http + initialDelaySeconds: 13371 + timeoutSeconds: 13372 + periodSeconds: 13373 + successThreshold: 13374 + failureThreshold: 13375 + asserts: + - notExists: + path: spec.template.spec.containers[0].readinessProbe.tcpSocket + - isSubset: + path: spec.template.spec.containers[0].readinessProbe + content: + failureThreshold: 13375 + initialDelaySeconds: 13371 + periodSeconds: 13373 + successThreshold: 13374 + httpGet: + path: /api/healthz + port: http + timeoutSeconds: 13372 + + - it: allows using a non-default method as startup probe + template: templates/gitea/deployment.yaml + set: + gitea: + startupProbe: + enabled: true + httpGet: + path: /api/healthz + port: http + initialDelaySeconds: 13371 + timeoutSeconds: 13372 + periodSeconds: 13373 + successThreshold: 13374 + failureThreshold: 13375 + asserts: + - notExists: + path: spec.template.spec.containers[0].startupProbe.tcpSocket + - isSubset: + path: spec.template.spec.containers[0].startupProbe + content: + failureThreshold: 13375 + initialDelaySeconds: 13371 + periodSeconds: 13373 + successThreshold: 13374 + httpGet: + path: /api/healthz + port: http + timeoutSeconds: 13372 diff --git a/charts/helm-gitea/unittests/helm/deployment/sidecar-container.yaml b/charts/helm-gitea/unittests/helm/deployment/sidecar-container.yaml new file mode 100644 index 0000000..e41e193 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/deployment/sidecar-container.yaml @@ -0,0 +1,21 @@ +suite: sidecar container +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/deployment.yaml + - templates/gitea/config.yaml +tests: + - it: supports adding a sidecar container + template: templates/gitea/deployment.yaml + set: + extraContainers: + - name: sidecar-bob + image: busybox + asserts: + - equal: + path: spec.template.spec.containers[1].name + value: "sidecar-bob" + - equal: + path: spec.template.spec.containers[1].image + value: "busybox" diff --git a/charts/helm-gitea/unittests/helm/deployment/signing-disabled.yaml b/charts/helm-gitea/unittests/helm/deployment/signing-disabled.yaml new file mode 100644 index 0000000..9e4519a --- /dev/null +++ b/charts/helm-gitea/unittests/helm/deployment/signing-disabled.yaml @@ -0,0 +1,40 @@ +suite: deployment template (signing disabled) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/deployment.yaml + - templates/gitea/config.yaml +tests: + - it: skips gpg init container + template: templates/gitea/deployment.yaml + asserts: + - notContains: + path: spec.template.spec.initContainers + any: true + content: + name: configure-gpg + - it: skips gpg env in `init-directories` init container + template: templates/gitea/deployment.yaml + set: + signing.enabled: false + asserts: + - notContains: + path: spec.template.spec.initContainers[0].env + content: + name: GNUPGHOME + value: /data/git/.gnupg + - it: skips gpg env in runtime container + template: templates/gitea/deployment.yaml + asserts: + - notContains: + path: spec.template.spec.containers[0].env + content: + name: GNUPGHOME + - it: skips gpg volume spec + template: templates/gitea/deployment.yaml + asserts: + - notContains: + path: spec.template.spec.volumes + content: + name: gpg-private-key diff --git a/charts/helm-gitea/unittests/helm/deployment/signing-enabled.yaml b/charts/helm-gitea/unittests/helm/deployment/signing-enabled.yaml new file mode 100644 index 0000000..47a05e7 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/deployment/signing-enabled.yaml @@ -0,0 +1,98 @@ +suite: deployment template (signing enabled) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/deployment.yaml + - templates/gitea/config.yaml +tests: + - it: adds gpg init container + template: templates/gitea/deployment.yaml + set: + signing: + enabled: true + existingSecret: "custom-gpg-secret" + asserts: + - equal: + path: spec.template.spec.initContainers[2].name + value: configure-gpg + - equal: + path: spec.template.spec.initContainers[2].command + value: ["/usr/sbinx/configure_gpg_environment.sh"] + - equal: + path: spec.template.spec.initContainers[2].securityContext + value: + runAsUser: 1000 + - equal: + path: spec.template.spec.initContainers[2].env + value: + - name: GNUPGHOME + value: /data/git/.gnupg + - name: TMP_RAW_GPG_KEY + value: /raw/private.asc + - equal: + path: spec.template.spec.initContainers[2].volumeMounts + value: + - name: init + mountPath: /usr/sbinx + - name: data + mountPath: /data + - name: gpg-private-key + mountPath: /raw + readOnly: true + - it: adds gpg env in `init-directories` init container + template: templates/gitea/deployment.yaml + set: + signing.enabled: true + signing.existingSecret: "custom-gpg-secret" + asserts: + - contains: + path: spec.template.spec.initContainers[0].env + content: + name: GNUPGHOME + value: /data/git/.gnupg + - it: adds gpg env in runtime container + template: templates/gitea/deployment.yaml + set: + signing.enabled: true + signing.existingSecret: "custom-gpg-secret" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: GNUPGHOME + value: /data/git/.gnupg + - it: adds gpg volume spec + template: templates/gitea/deployment.yaml + set: + signing: + enabled: true + existingSecret: "gitea-unittests-gpg-key" + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: gpg-private-key + secret: + secretName: gitea-unittests-gpg-key + items: + - key: privateKey + path: private.asc + defaultMode: 0100 + - it: supports gpg volume spec with external reference + template: templates/gitea/deployment.yaml + set: + signing: + enabled: true + existingSecret: custom-gpg-secret + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: gpg-private-key + secret: + secretName: custom-gpg-secret + items: + - key: privateKey + path: private.asc + defaultMode: 0100 diff --git a/charts/helm-gitea/unittests/helm/deployment/ssh-configuration.yaml b/charts/helm-gitea/unittests/helm/deployment/ssh-configuration.yaml new file mode 100644 index 0000000..a2fa073 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/deployment/ssh-configuration.yaml @@ -0,0 +1,64 @@ +suite: deployment template (SSH configuration) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/deployment.yaml + - templates/gitea/config.yaml +tests: + - it: supports defining SSH log level for root based image + template: templates/gitea/deployment.yaml + set: + image.rootless: false + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSH_LOG_LEVEL + value: "INFO" + - it: supports overriding SSH log level + template: templates/gitea/deployment.yaml + set: + image.rootless: false + gitea.ssh.logLevel: "DEBUG" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSH_LOG_LEVEL + value: "DEBUG" + - it: supports overriding SSH log level (even when image.fullOverride set) + template: templates/gitea/deployment.yaml + set: + image.fullOverride: docker.gitea.com/gitea:1.19.3 + image.rootless: false + gitea.ssh.logLevel: "DEBUG" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSH_LOG_LEVEL + value: "DEBUG" + - it: skips SSH_LOG_LEVEL for rootless image + template: templates/gitea/deployment.yaml + set: + image.rootless: true + gitea.ssh.logLevel: "DEBUG" # explicitly defining a non-standard level here + asserts: + - notContains: + path: spec.template.spec.containers[0].env + any: true + content: + name: SSH_LOG_LEVEL + - it: skips SSH_LOG_LEVEL for rootless image (even when image.fullOverride set) + template: templates/gitea/deployment.yaml + set: + image.fullOverride: docker.gitea.com/gitea:1.19.3 + image.rootless: true + gitea.ssh.logLevel: "DEBUG" # explicitly defining a non-standard level here + asserts: + - notContains: + path: spec.template.spec.containers[0].env + any: true + content: + name: SSH_LOG_LEVEL diff --git a/charts/helm-gitea/unittests/helm/deployment/storage-class-configuration.yaml b/charts/helm-gitea/unittests/helm/deployment/storage-class-configuration.yaml new file mode 100644 index 0000000..abad587 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/deployment/storage-class-configuration.yaml @@ -0,0 +1,39 @@ +# File: tests/gitea-storageclass-tests.yaml + +suite: storage class configuration tests + +release: + name: gitea-storageclass-tests + namespace: testing + +templates: + - templates/gitea/pvc.yaml + +tests: + - it: should set storageClassName when persistence.storageClass is defined + template: templates/gitea/pvc.yaml + set: + persistence.storageClass: "my-storage-class" + asserts: + - equal: + path: "spec.storageClassName" + value: "my-storage-class" + + - it: should set global.storageClass when persistence.storageClass is not defined + template: templates/gitea/pvc.yaml + set: + global.storageClass: "default-storage-class" + asserts: + - equal: + path: spec.storageClassName + value: "default-storage-class" + + - it: should set storageClassName when persistence.storageClass is defined and global.storageClass is defined + template: templates/gitea/pvc.yaml + set: + global.storageClass: "default-storage-class" + persistence.storageClass: "my-storage-class" + asserts: + - equal: + path: spec.storageClassName + value: "my-storage-class" diff --git a/charts/helm-gitea/unittests/helm/deployment/svc-configuration.yaml b/charts/helm-gitea/unittests/helm/deployment/svc-configuration.yaml new file mode 100644 index 0000000..24059ea --- /dev/null +++ b/charts/helm-gitea/unittests/helm/deployment/svc-configuration.yaml @@ -0,0 +1,118 @@ +suite: ssh-svc / http-svc template (Services configuration) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/ssh-svc.yaml + - templates/gitea/http-svc.yaml +tests: + - it: supports adding custom labels to ssh-svc + template: templates/gitea/ssh-svc.yaml + set: + service: + ssh: + labels: + gitea/testkey: testvalue + asserts: + - equal: + path: metadata.labels["gitea/testkey"] + value: "testvalue" + + - it: keeps existing labels (ssh) + template: templates/gitea/ssh-svc.yaml + set: + service: + ssh: + labels: {} + asserts: + - exists: + path: metadata.labels["app"] + + - it: supports adding custom labels to http-svc + template: templates/gitea/http-svc.yaml + set: + service: + http: + labels: + gitea/testkey: testvalue + asserts: + - equal: + path: metadata.labels["gitea/testkey"] + value: "testvalue" + + - it: keeps existing labels (http) + template: templates/gitea/http-svc.yaml + set: + service: + http: + labels: {} + asserts: + - exists: + path: metadata.labels["app"] + + - it: render service.ssh.loadBalancerClass if set and type is LoadBalancer + template: templates/gitea/ssh-svc.yaml + set: + service: + ssh: + loadBalancerClass: "example.com/class" + type: LoadBalancer + loadBalancerIP: "1.2.3.4" + loadBalancerSourceRanges: + - "1.2.3.4/32" + - "5.6.7.8/32" + asserts: + - equal: + path: spec.loadBalancerClass + value: "example.com/class" + - equal: + path: spec.loadBalancerIP + value: "1.2.3.4" + - equal: + path: spec.loadBalancerSourceRanges + value: ["1.2.3.4/32", "5.6.7.8/32"] + + - it: does not render when loadbalancer properties are set but type is not loadBalancerClass + template: templates/gitea/http-svc.yaml + set: + service: + http: + type: ClusterIP + loadBalancerClass: "example.com/class" + loadBalancerIP: "1.2.3.4" + loadBalancerSourceRanges: + - "1.2.3.4/32" + - "5.6.7.8/32" + asserts: + - notExists: + path: spec.loadBalancerClass + - notExists: + path: spec.loadBalancerIP + - notExists: + path: spec.loadBalancerSourceRanges + + - it: does not render loadBalancerClass by default even when type is LoadBalancer + template: templates/gitea/http-svc.yaml + set: + service: + http: + type: LoadBalancer + loadBalancerIP: "1.2.3.4" + asserts: + - notExists: + path: spec.loadBalancerClass + - equal: + path: spec.loadBalancerIP + value: "1.2.3.4" + + - it: both ssh and http services exist + templates: + - templates/gitea/ssh-svc.yaml + - templates/gitea/http-svc.yaml + asserts: + - matchRegex: + path: metadata.name + pattern: "^gitea-unittests-(?:ssh|http)$" + - matchRegex: + path: spec.ports[0].name + pattern: "^(?:ssh|http)$" diff --git a/charts/helm-gitea/unittests/helm/gpg-secret/signing-disabled.yaml b/charts/helm-gitea/unittests/helm/gpg-secret/signing-disabled.yaml new file mode 100644 index 0000000..3b1aba4 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/gpg-secret/signing-disabled.yaml @@ -0,0 +1,13 @@ +suite: GPG secret template (signing disabled) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/gpg-secret.yaml +tests: + - it: renders nothing + set: + signing.enabled: false + asserts: + - hasDocuments: + count: 0 diff --git a/charts/helm-gitea/unittests/helm/gpg-secret/signing-enabled.yaml b/charts/helm-gitea/unittests/helm/gpg-secret/signing-enabled.yaml new file mode 100644 index 0000000..8fcab68 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/gpg-secret/signing-enabled.yaml @@ -0,0 +1,40 @@ +suite: GPG secret template (signing enabled) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/gpg-secret.yaml +tests: + - it: fails rendering when nothing is configured + set: + signing: + enabled: true + asserts: + - failedTemplate: + errorMessage: Either specify `signing.privateKey` or `signing.existingSecret` + - it: skips rendering using external secret reference + set: + signing: + enabled: true + existingSecret: "external-secret-reference" + asserts: + - hasDocuments: + count: 0 + - it: renders secret specification using inline gpg key + set: + signing: + enabled: true + privateKey: "gpg-key-placeholder" + asserts: + - hasDocuments: + count: 1 + - documentIndex: 0 + containsDocument: + kind: Secret + apiVersion: v1 + name: gitea-unittests-gpg-key + - isNotNullOrEmpty: + path: metadata.labels + - equal: + path: data.privateKey + value: "Z3BnLWtleS1wbGFjZWhvbGRlcg==" diff --git a/charts/helm-gitea/unittests/helm/ingress/basic.yaml b/charts/helm-gitea/unittests/helm/ingress/basic.yaml new file mode 100644 index 0000000..733e557 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/ingress/basic.yaml @@ -0,0 +1,93 @@ +suite: Test ingress.yaml +templates: + - templates/gitea/ingress.yaml +tests: + - it: should enable ingress when ingress.enabled is true + set: + ingress.enabled: true + ingress.apiVersion: networking.k8s.io/v1 + ingress.annotations: + kubernetes.io/ingress.class: nginx + ingress.className: nginx + ingress.tls: + - hosts: + - example.com + secretName: tls-secret + ingress.hosts: + - host: example.com + paths: ["/"] + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Ingress + - equal: + path: metadata.name + value: RELEASE-NAME-gitea + - matchRegex: + path: apiVersion + pattern: networking.k8s.io/v1 + - equal: + path: spec.ingressClassName + value: nginx + - equal: + path: spec.rules[0].host + value: "example.com" + - equal: + path: spec.tls[0].hosts[0] + value: "example.com" + - equal: + path: spec.tls[0].secretName + value: tls-secret + - equal: + path: metadata.annotations["kubernetes.io/ingress.class"] + value: nginx + + - it: should not create ingress when ingress.enabled is false + set: + ingress.enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: Ingress Class using TPL + set: + global.ingress.className: "ingress-class" + ingress.className: "{{ .Values.global.ingress.className }}" + ingress.enabled: true + ingress.hosts[0].host: "some-host" + ingress.tls: + - secretName: gitea-tls + hosts: + - "some-host" + asserts: + - isKind: + of: Ingress + - equal: + path: spec.tls[0].hosts[0] + value: "some-host" + - equal: + path: spec.rules[0].host + value: "some-host" + - equal: + path: spec.ingressClassName + value: "ingress-class" + + - it: hostname using TPL + set: + global.giteaHostName: "gitea.example.com" + ingress.enabled: true + ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}" + ingress.tls: + - secretName: gitea-tls + hosts: + - "{{ .Values.global.giteaHostName }}" + asserts: + - isKind: + of: Ingress + - equal: + path: spec.tls[0].hosts[0] + value: "gitea.example.com" + - equal: + path: spec.rules[0].host + value: "gitea.example.com" diff --git a/charts/helm-gitea/unittests/helm/ingress/implicit-defaults.yaml b/charts/helm-gitea/unittests/helm/ingress/implicit-defaults.yaml new file mode 100644 index 0000000..2337286 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/ingress/implicit-defaults.yaml @@ -0,0 +1,23 @@ +suite: Test ingress with implicit path defaults +templates: + - templates/gitea/ingress.yaml +tests: + - it: should use default path and pathType when no paths are specified + set: + ingress.enabled: true + ingress.hosts: + - host: git.example.com + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Ingress + - equal: + path: spec.rules[0].host + value: "git.example.com" + - equal: + path: spec.rules[0].http.paths[0].path + value: "/" + - equal: + path: spec.rules[0].http.paths[0].pathType + value: "Prefix" diff --git a/charts/helm-gitea/unittests/helm/ingress/ingress.tpl.yaml b/charts/helm-gitea/unittests/helm/ingress/ingress.tpl.yaml new file mode 100644 index 0000000..5136c1c --- /dev/null +++ b/charts/helm-gitea/unittests/helm/ingress/ingress.tpl.yaml @@ -0,0 +1,45 @@ +suite: Test ingress tpl use +templates: + - templates/gitea/ingress.yaml +tests: + - it: Ingress Class using TPL + set: + global.ingress.className: "ingress-class" + ingress.className: "{{ .Values.global.ingress.className }}" + ingress.enabled: true + ingress.hosts[0].host: "some-host" + ingress.tls: + - secretName: gitea-tls + hosts: + - "some-host" + asserts: + - isKind: + of: Ingress + - equal: + path: spec.tls[0].hosts[0] + value: "some-host" + - equal: + path: spec.rules[0].host + value: "some-host" + - equal: + path: spec.ingressClassName + value: "ingress-class" + + - it: hostname using TPL + set: + global.giteaHostName: "gitea.example.com" + ingress.enabled: true + ingress.hosts[0].host: "{{ .Values.global.giteaHostName }}" + ingress.tls: + - secretName: gitea-tls + hosts: + - "{{ .Values.global.giteaHostName }}" + asserts: + - isKind: + of: Ingress + - equal: + path: spec.tls[0].hosts[0] + value: "gitea.example.com" + - equal: + path: spec.rules[0].host + value: "gitea.example.com" diff --git a/charts/helm-gitea/unittests/helm/ingress/structured-paths.yaml b/charts/helm-gitea/unittests/helm/ingress/structured-paths.yaml new file mode 100644 index 0000000..3183ac7 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/ingress/structured-paths.yaml @@ -0,0 +1,26 @@ +suite: Test ingress with structured paths +templates: + - templates/gitea/ingress.yaml +tests: + - it: should work with structured path definitions + set: + ingress.enabled: true + ingress.hosts: + - host: git.devxy.io + paths: + - path: / + pathType: Prefix + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Ingress + - equal: + path: spec.rules[0].host + value: "git.devxy.io" + - equal: + path: spec.rules[0].http.paths[0].path + value: "/" + - equal: + path: spec.rules[0].http.paths[0].pathType + value: "Prefix" diff --git a/charts/helm-gitea/unittests/helm/init/basic.yaml b/charts/helm-gitea/unittests/helm/init/basic.yaml new file mode 100644 index 0000000..25027f5 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/init/basic.yaml @@ -0,0 +1,15 @@ +suite: Init template (basic) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/init.yaml +tests: + - it: renders a secret + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: Secret + apiVersion: v1 + name: gitea-unittests-init diff --git a/charts/helm-gitea/unittests/helm/init/init_directory_structure.sh-rootless.yaml b/charts/helm-gitea/unittests/helm/init/init_directory_structure.sh-rootless.yaml new file mode 100644 index 0000000..a215bd6 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/init/init_directory_structure.sh-rootless.yaml @@ -0,0 +1,82 @@ +suite: Init template +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/init.yaml +tests: + - it: runs gpg in batch mode + set: + signing.enabled: true + signing.privateKey: |- + -----BEGIN PGP PRIVATE KEY BLOCK----- + {placeholder} + -----END PGP PRIVATE KEY BLOCK----- + asserts: + - equal: + path: stringData["configure_gpg_environment.sh"] + value: | + #!/usr/bin/env bash + set -eu + + gpg --batch --import "$TMP_RAW_GPG_KEY" + - it: skips gpg script block for disabled signing + asserts: + - equal: + path: stringData["init_directory_structure.sh"] + value: |- + #!/usr/bin/env bash + + set -euo pipefail + mkdir -pv /data/git/.ssh + chmod -Rv 700 /data/git/.ssh + [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf + + # prepare temp directory structure + mkdir -pv "${GITEA_TEMP}" + chmod -v ug+rwx "${GITEA_TEMP}" + - it: adds gpg script block for enabled signing + set: + signing.enabled: true + signing.privateKey: |- + -----BEGIN PGP PRIVATE KEY BLOCK----- + {placeholder} + -----END PGP PRIVATE KEY BLOCK----- + asserts: + - equal: + path: stringData["init_directory_structure.sh"] + value: |- + #!/usr/bin/env bash + + set -euo pipefail + mkdir -pv /data/git/.ssh + chmod -Rv 700 /data/git/.ssh + [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf + + # prepare temp directory structure + mkdir -pv "${GITEA_TEMP}" + chmod -v ug+rwx "${GITEA_TEMP}" + + if [ ! -d "${GNUPGHOME}" ]; then + mkdir -pv "${GNUPGHOME}" + chmod -v 700 "${GNUPGHOME}" + chown -v 1000:1000 "${GNUPGHOME}" + fi + - it: it does not chown /data even when image.fullOverride is set + template: templates/gitea/init.yaml + set: + image.fullOverride: docker.gitea.com/gitea:1.20.5 + asserts: + - equal: + path: stringData["init_directory_structure.sh"] + value: |- + #!/usr/bin/env bash + + set -euo pipefail + mkdir -pv /data/git/.ssh + chmod -Rv 700 /data/git/.ssh + [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf + + # prepare temp directory structure + mkdir -pv "${GITEA_TEMP}" + chmod -v ug+rwx "${GITEA_TEMP}" diff --git a/charts/helm-gitea/unittests/helm/init/init_directory_structure.sh.yaml b/charts/helm-gitea/unittests/helm/init/init_directory_structure.sh.yaml new file mode 100644 index 0000000..bdd6b8a --- /dev/null +++ b/charts/helm-gitea/unittests/helm/init/init_directory_structure.sh.yaml @@ -0,0 +1,72 @@ +suite: Init template +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/init.yaml +tests: + - it: runs gpg in batch mode + set: + image.rootless: false + signing.enabled: true + signing.privateKey: |- + -----BEGIN PGP PRIVATE KEY BLOCK----- + {placeholder} + -----END PGP PRIVATE KEY BLOCK----- + asserts: + - equal: + path: stringData["configure_gpg_environment.sh"] + value: | + #!/usr/bin/env bash + set -eu + + gpg --batch --import "$TMP_RAW_GPG_KEY" + - it: skips gpg script block for disabled signing + set: + image.rootless: false + asserts: + - equal: + path: stringData["init_directory_structure.sh"] + value: |- + #!/usr/bin/env bash + + set -euo pipefail + chown -v 1000:1000 /data + mkdir -pv /data/git/.ssh + chmod -Rv 700 /data/git/.ssh + [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf + + # prepare temp directory structure + mkdir -pv "${GITEA_TEMP}" + chown -v 1000:1000 "${GITEA_TEMP}" + chmod -v ug+rwx "${GITEA_TEMP}" + - it: adds gpg script block for enabled signing + set: + image.rootless: false + signing.enabled: true + signing.privateKey: |- + -----BEGIN PGP PRIVATE KEY BLOCK----- + {placeholder} + -----END PGP PRIVATE KEY BLOCK----- + asserts: + - equal: + path: stringData["init_directory_structure.sh"] + value: |- + #!/usr/bin/env bash + + set -euo pipefail + chown -v 1000:1000 /data + mkdir -pv /data/git/.ssh + chmod -Rv 700 /data/git/.ssh + [ ! -d /data/gitea/conf ] && mkdir -pv /data/gitea/conf + + # prepare temp directory structure + mkdir -pv "${GITEA_TEMP}" + chown -v 1000:1000 "${GITEA_TEMP}" + chmod -v ug+rwx "${GITEA_TEMP}" + + if [ ! -d "${GNUPGHOME}" ]; then + mkdir -pv "${GNUPGHOME}" + chmod -v 700 "${GNUPGHOME}" + chown -v 1000:1000 "${GNUPGHOME}" + fi diff --git a/charts/helm-gitea/unittests/helm/metric-secret/metrics-secret-servicemonitor-disabled.yaml b/charts/helm-gitea/unittests/helm/metric-secret/metrics-secret-servicemonitor-disabled.yaml new file mode 100644 index 0000000..e3776ca --- /dev/null +++ b/charts/helm-gitea/unittests/helm/metric-secret/metrics-secret-servicemonitor-disabled.yaml @@ -0,0 +1,23 @@ +suite: Metrics secret template (monitoring disabled) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/metrics-secret.yaml +tests: + - it: renders nothing if monitoring disabled and gitea.metrics.token empty + set: + gitea.metrics.enabled: false + gitea.metrics.serviceMonitor.enabled: false + gitea.metrics.token: "" + asserts: + - hasDocuments: + count: 0 + - it: renders nothing if monitoring disabled and gitea.metrics.token not empty + set: + gitea.metrics.enabled: false + gitea.metrics.serviceMonitor.enabled: false + gitea.metrics.token: "test-token" + asserts: + - hasDocuments: + count: 0 diff --git a/charts/helm-gitea/unittests/helm/metric-secret/metrics-secret-servicemonitor-enabled.yaml b/charts/helm-gitea/unittests/helm/metric-secret/metrics-secret-servicemonitor-enabled.yaml new file mode 100644 index 0000000..78e714a --- /dev/null +++ b/charts/helm-gitea/unittests/helm/metric-secret/metrics-secret-servicemonitor-enabled.yaml @@ -0,0 +1,33 @@ +suite: Metrics secret template (monitoring enabled) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/metrics-secret.yaml +tests: + - it: renders nothing if monitoring enabled and gitea.metrics.token empty + set: + gitea.metrics.enabled: true + gitea.metrics.serviceMonitor.enabled: true + gitea.metrics.token: "" + asserts: + - hasDocuments: + count: 0 + - it: renders Secret if monitoring enabled and gitea.metrics.token not empty + set: + gitea.metrics.enabled: true + gitea.metrics.serviceMonitor.enabled: true + gitea.metrics.token: "test-token" + asserts: + - hasDocuments: + count: 1 + - documentIndex: 0 + containsDocument: + kind: Secret + apiVersion: v1 + name: gitea-unittests-metrics-secret + - isNotNullOrEmpty: + path: metadata.labels + - equal: + path: data.token + value: "dGVzdC10b2tlbg==" diff --git a/charts/helm-gitea/unittests/helm/pvc/pvc-configuration.yaml b/charts/helm-gitea/unittests/helm/pvc/pvc-configuration.yaml new file mode 100644 index 0000000..3431000 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/pvc/pvc-configuration.yaml @@ -0,0 +1,19 @@ +suite: PVC template +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/pvc.yaml +tests: + - it: Storage Class using TPL + set: + global.persistence.storageClass: "storage-class" + persistence.enabled: true + persistence.create: true + persistence.storageClass: "{{ .Values.global.persistence.storageClass }}" + asserts: + - isKind: + of: PersistentVolumeClaim + - equal: + path: spec.storageClassName + value: "storage-class" diff --git a/charts/helm-gitea/unittests/helm/serviceaccount/basic.yaml b/charts/helm-gitea/unittests/helm/serviceaccount/basic.yaml new file mode 100644 index 0000000..73d8e1e --- /dev/null +++ b/charts/helm-gitea/unittests/helm/serviceaccount/basic.yaml @@ -0,0 +1,82 @@ +suite: ServiceAccount template (basic) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/serviceaccount.yaml +tests: + - it: skips rendering by default + asserts: + - hasDocuments: + count: 0 + - it: renders default ServiceAccount object with serviceAccount.create=true + set: + serviceAccount.create: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: ServiceAccount + apiVersion: v1 + name: gitea-unittests + - equal: + path: automountServiceAccountToken + value: false + - notExists: + path: imagePullSecrets + - notExists: + path: metadata.annotations + - it: allows for adding custom labels + set: + serviceAccount: + create: true + labels: + custom: label + asserts: + - equal: + path: metadata.labels.custom + value: label + - it: allows for adding custom annotations + set: + serviceAccount: + create: true + annotations: + myCustom: annotation + asserts: + - equal: + path: metadata.annotations.myCustom + value: annotation + - it: allows to override the generated name + set: + serviceAccount: + create: true + name: provided-serviceaccount-name + asserts: + - equal: + path: metadata.name + value: provided-serviceaccount-name + - it: allows to mount the token + set: + serviceAccount: + create: true + automountServiceAccountToken: true + asserts: + - equal: + path: automountServiceAccountToken + value: true + - it: allows to reference image pull secrets + set: + serviceAccount: + create: true + imagePullSecrets: + - name: testing-image-pull-secret + - name: another-pull-secret + asserts: + - contains: + path: imagePullSecrets + content: + name: testing-image-pull-secret + - contains: + path: imagePullSecrets + content: + name: another-pull-secret diff --git a/charts/helm-gitea/unittests/helm/serviceaccount/reference.yaml b/charts/helm-gitea/unittests/helm/serviceaccount/reference.yaml new file mode 100644 index 0000000..25faa03 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/serviceaccount/reference.yaml @@ -0,0 +1,32 @@ +suite: ServiceAccount template (reference) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/serviceaccount.yaml + - templates/gitea/deployment.yaml + - templates/gitea/config.yaml +tests: + - it: does not modify the deployment by default + template: templates/gitea/deployment.yaml + asserts: + - notExists: + path: spec.serviceAccountName + - it: adds the reference to the deployment with serviceAccount.create=true + template: templates/gitea/deployment.yaml + set: + serviceAccount.create: true + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: gitea-unittests + - it: allows referencing an externally created ServiceAccount to the deployment + template: templates/gitea/deployment.yaml + set: + serviceAccount: + create: false # explicitly set to define rendering behavior + name: "externally-existing-serviceaccount" + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: externally-existing-serviceaccount diff --git a/charts/helm-gitea/unittests/helm/servicemonitor/basic.yaml b/charts/helm-gitea/unittests/helm/servicemonitor/basic.yaml new file mode 100644 index 0000000..f5d0091 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/servicemonitor/basic.yaml @@ -0,0 +1,89 @@ +suite: ServiceMonitor template (basic) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/servicemonitor.yaml +tests: + - it: skips rendering by default + asserts: + - hasDocuments: + count: 0 + - it: renders default ServiceMonitor object with gitea.metrics.enabled=true + set: + gitea.metrics.enabled: true + asserts: + - hasDocuments: + count: 0 + - it: renders default ServiceMonitor object with gitea.metrics.serviceMonitor.enabled=true + set: + gitea.metrics.serviceMonitor.enabled: true + asserts: + - hasDocuments: + count: 0 + - it: renders defaults + set: + gitea.metrics.enabled: true + gitea.metrics.serviceMonitor.enabled: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: ServiceMonitor + apiVersion: monitoring.coreos.com/v1 + name: gitea-unittests + - notExists: + path: metadata.annotations + - notExists: + path: spec.endpoints[0].interval + - equal: + path: spec.endpoints[0].port + value: http + - notExists: + path: spec.endpoints[0].scheme + - notExists: + path: spec.endpoints[0].scrapeTimeout + - notExists: + path: spec.endpoints[0].tlsConfig + - it: renders custom scrape interval + set: + gitea.metrics.enabled: true + gitea.metrics.serviceMonitor.enabled: true + gitea.metrics.serviceMonitor.interval: 30s + gitea.metrics.serviceMonitor.scrapeTimeout: 5s + asserts: + - equal: + path: spec.endpoints[0].interval + value: 30s + - equal: + path: spec.endpoints[0].scrapeTimeout + value: 5s + - it: renders custom tls config + set: + gitea.metrics.enabled: true + gitea.metrics.serviceMonitor.enabled: true + gitea.metrics.serviceMonitor.scheme: https + gitea.metrics.serviceMonitor.tlsConfig.caFile: /etc/prometheus/tls/ca.crt + gitea.metrics.serviceMonitor.tlsConfig.certFile: /etc/prometheus/tls/tls.crt + gitea.metrics.serviceMonitor.tlsConfig.keyFile: /etc/prometheus/tls/tls.key + gitea.metrics.serviceMonitor.tlsConfig.insecureSkipVerify: false + gitea.metrics.serviceMonitor.tlsConfig.serverName: gitea-unittest + asserts: + - equal: + path: spec.endpoints[0].scheme + value: https + - equal: + path: spec.endpoints[0].tlsConfig.caFile + value: /etc/prometheus/tls/ca.crt + - equal: + path: spec.endpoints[0].tlsConfig.certFile + value: /etc/prometheus/tls/tls.crt + - equal: + path: spec.endpoints[0].tlsConfig.keyFile + value: /etc/prometheus/tls/tls.key + - equal: + path: spec.endpoints[0].tlsConfig.insecureSkipVerify + value: false + - equal: + path: spec.endpoints[0].tlsConfig.serverName + value: gitea-unittest diff --git a/charts/helm-gitea/unittests/helm/servicemonitor/servicemonitor-disabled.yaml b/charts/helm-gitea/unittests/helm/servicemonitor/servicemonitor-disabled.yaml new file mode 100644 index 0000000..5b2de44 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/servicemonitor/servicemonitor-disabled.yaml @@ -0,0 +1,23 @@ +suite: ServiceMonitor template (monitoring disabled) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/servicemonitor.yaml +tests: + - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.metrics.token empty + set: + gitea.metrics.enabled: false + gitea.metrics.token: "" + gitea.metrics.serviceMonitor.enabled: false + asserts: + - hasDocuments: + count: 0 + - it: renders nothing if gitea.metrics.serviceMonitor disabled and gitea.metrics.token not empty + set: + gitea.metrics.enabled: false + gitea.metrics.token: "test-token" + gitea.metrics.serviceMonitor.enabled: false + asserts: + - hasDocuments: + count: 0 diff --git a/charts/helm-gitea/unittests/helm/servicemonitor/servicemonitor-enabled.yaml b/charts/helm-gitea/unittests/helm/servicemonitor/servicemonitor-enabled.yaml new file mode 100644 index 0000000..29d83ca --- /dev/null +++ b/charts/helm-gitea/unittests/helm/servicemonitor/servicemonitor-enabled.yaml @@ -0,0 +1,70 @@ +suite: ServiceMonitor template (monitoring enabled) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/servicemonitor.yaml +tests: + - it: renders unsecure ServiceMonitor if gitea.metrics.token nil + set: + gitea.metrics.enabled: true + gitea.metrics.token: + gitea.metrics.serviceMonitor.enabled: true + asserts: + - hasDocuments: + count: 1 + - documentIndex: 0 + containsDocument: + kind: ServiceMonitor + apiVersion: monitoring.coreos.com/v1 + name: gitea-unittests + - isNotNullOrEmpty: + path: metadata.labels + - equal: + path: spec.endpoints + value: + - port: http + - it: renders unsecure ServiceMonitor if gitea.metrics.token empty + set: + gitea.metrics.enabled: true + gitea.metrics.token: "" + gitea.metrics.serviceMonitor.enabled: true + asserts: + - hasDocuments: + count: 1 + - documentIndex: 0 + containsDocument: + kind: ServiceMonitor + apiVersion: monitoring.coreos.com/v1 + name: gitea-unittests + - isNotNullOrEmpty: + path: metadata.labels + - equal: + path: spec.endpoints + value: + - port: http + - it: renders secure ServiceMonitor if gitea.metrics.token not empty + set: + gitea.metrics.enabled: true + gitea.metrics.token: "test-token" + gitea.metrics.serviceMonitor.enabled: true + asserts: + - hasDocuments: + count: 1 + - documentIndex: 0 + containsDocument: + kind: ServiceMonitor + apiVersion: monitoring.coreos.com/v1 + name: gitea-unittests + - isNotNullOrEmpty: + path: metadata.labels + - equal: + path: spec.endpoints + value: + - port: http + authorization: + type: Bearer + credentials: + name: gitea-unittests-metrics-secret + key: token + optional: false diff --git a/charts/helm-gitea/unittests/helm/values-conflicting-checks.yaml b/charts/helm-gitea/unittests/helm/values-conflicting-checks.yaml new file mode 100644 index 0000000..a1ba969 --- /dev/null +++ b/charts/helm-gitea/unittests/helm/values-conflicting-checks.yaml @@ -0,0 +1,14 @@ +suite: Values conflicting checks +release: + name: gitea-unittests + namespace: testing +tests: + - it: fails when trying to configure valkey and valkey-cluster the same time + set: + valkey-cluster: + enabled: true + valkey: + enabled: true + asserts: + - failedTemplate: + errorMessage: valkey and valkey-cluster cannot be enabled at the same time. Please only choose one. diff --git a/charts/helm-gitea/values.yaml b/charts/helm-gitea/values.yaml new file mode 100644 index 0000000..c3b9d01 --- /dev/null +++ b/charts/helm-gitea/values.yaml @@ -0,0 +1,620 @@ +# Default values for gitea. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +## @section Global +# +## @param global.imageRegistry global image registry override +## @param global.imagePullSecrets global image pull secrets override; can be extended by `imagePullSecrets` +## @param global.storageClass global storage class override +## @param global.hostAliases global hostAliases which will be added to the pod's hosts files +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + storageClass: "" + hostAliases: [] + # - ip: 192.168.137.2 + # hostnames: + # - example.com + +## @param namespace An explicit namespace to deploy gitea into. Defaults to the release namespace if not specified +namespace: "" + +## @param replicaCount number of replicas for the deployment +replicaCount: 1 + +## @section strategy +## @param strategy.type strategy type +## @param strategy.rollingUpdate.maxSurge maxSurge +## @param strategy.rollingUpdate.maxUnavailable maxUnavailable +strategy: + type: "RollingUpdate" + rollingUpdate: + maxSurge: "100%" + maxUnavailable: 0 + +## @param clusterDomain cluster domain +clusterDomain: cluster.local + +## @section Image +## @param image.registry image registry, e.g. gcr.io,docker.io +## @param image.repository Image to start for this pod +## @param image.tag Visit: [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated). Defaults to `appVersion` within Chart.yaml. +## @param image.digest Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest` +## @param image.pullPolicy Image pull policy +## @param image.rootless Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher +## @param image.fullOverride Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).** +image: + registry: "docker.gitea.com" + repository: gitea + # Overrides the image tag whose default is the chart appVersion. + tag: "" + digest: "" + pullPolicy: IfNotPresent + rootless: true + fullOverride: "" + +## @param imagePullSecrets Secret to use for pulling the image +imagePullSecrets: [] + +## @section Security +# Security context is only usable with rootless image due to image design +## @param podSecurityContext.fsGroup Set the shared file system group for all containers in the pod. +podSecurityContext: + fsGroup: 1000 + +## @param containerSecurityContext Security context +containerSecurityContext: {} +# allowPrivilegeEscalation: false +# capabilities: +# drop: +# - ALL +# # Add the SYS_CHROOT capability for root and rootless images if you intend to +# # run pods on nodes that use the container runtime cri-o. Otherwise, you will +# # get an error message from the SSH server that it is not possible to read from +# # the repository. +# # https://gitea.com/gitea/helm-gitea/issues/161 +# add: +# - SYS_CHROOT +# privileged: false +# readOnlyRootFilesystem: true +# runAsGroup: 1000 +# runAsNonRoot: true +# runAsUser: 1000 + +## @deprecated The securityContext variable has been split two: +## - containerSecurityContext +## - podSecurityContext. +## @param securityContext Run init and Gitea containers as a specific securityContext +securityContext: {} + +## @param podDisruptionBudget Pod disruption budget +podDisruptionBudget: {} +# maxUnavailable: 1 +# minAvailable: 1 + +## @section Service +service: + ## @param service.http.type Kubernetes service type for web traffic + ## @param service.http.port Port number for web traffic + ## @param service.http.clusterIP ClusterIP setting for http autosetup for deployment is None + ## @param service.http.loadBalancerIP LoadBalancer IP setting + ## @param service.http.nodePort NodePort for http service + ## @param service.http.externalTrafficPolicy If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation + ## @param service.http.externalIPs External IPs for service + ## @param service.http.ipFamilyPolicy HTTP service dual-stack policy + ## @param service.http.ipFamilies HTTP service dual-stack familiy selection,for dual-stack parameters see official kubernetes [dual-stack concept documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/). + ## @param service.http.loadBalancerSourceRanges Source range filter for http loadbalancer + ## @param service.http.annotations HTTP service annotations + ## @param service.http.labels HTTP service additional labels + ## @param service.http.loadBalancerClass Loadbalancer class + http: + type: ClusterIP + port: 3000 + clusterIP: None + loadBalancerIP: + nodePort: + externalTrafficPolicy: + externalIPs: + ipFamilyPolicy: + ipFamilies: + loadBalancerSourceRanges: [] + annotations: {} + labels: {} + loadBalancerClass: + ## @param service.ssh.type Kubernetes service type for ssh traffic + ## @param service.ssh.port Port number for ssh traffic + ## @param service.ssh.clusterIP ClusterIP setting for ssh autosetup for deployment is None + ## @param service.ssh.loadBalancerIP LoadBalancer IP setting + ## @param service.ssh.nodePort NodePort for ssh service + ## @param service.ssh.externalTrafficPolicy If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation + ## @param service.ssh.externalIPs External IPs for service + ## @param service.ssh.ipFamilyPolicy SSH service dual-stack policy + ## @param service.ssh.ipFamilies SSH service dual-stack familiy selection,for dual-stack parameters see official kubernetes [dual-stack concept documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/). + ## @param service.ssh.hostPort HostPort for ssh service + ## @param service.ssh.loadBalancerSourceRanges Source range filter for ssh loadbalancer + ## @param service.ssh.annotations SSH service annotations + ## @param service.ssh.labels SSH service additional labels + ## @param service.ssh.loadBalancerClass Loadbalancer class + ssh: + type: ClusterIP + port: 22 + clusterIP: None + loadBalancerIP: + nodePort: + externalTrafficPolicy: + externalIPs: + ipFamilyPolicy: + ipFamilies: + hostPort: + loadBalancerSourceRanges: [] + annotations: {} + labels: {} + loadBalancerClass: + +## @section Ingress +## @param ingress.enabled Enable ingress +## @param ingress.className DEPRECATED: Ingress class name. +## @param ingress.pathType Ingress Path Type +## @param ingress.annotations Ingress annotations +## @param ingress.hosts[0].host Default Ingress host +## @param ingress.hosts[0].paths[0].path Default Ingress path +## @param ingress.tls Ingress tls settings +ingress: + enabled: false + className: "" + pathType: Prefix + annotations: {} + hosts: + - host: git.example.com + paths: + - path: / + tls: [] + # - secretName: chart-example-tls + # hosts: + # - git.example.com + +## @section deployment +# +## @param resources Kubernetes resources +resources: + {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +## Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +## @param schedulerName Use an alternate scheduler, e.g. "stork" +schedulerName: "" + +## @param nodeSelector NodeSelector for the deployment +nodeSelector: {} + +## @param tolerations Tolerations for the deployment +tolerations: [] + +## @param affinity Affinity for the deployment +affinity: {} + +## @param topologySpreadConstraints TopologySpreadConstraints for the deployment +topologySpreadConstraints: [] + +## @param dnsConfig dnsConfig for the deployment +dnsConfig: {} + +## @param priorityClassName priorityClassName for the deployment +priorityClassName: "" + +## @param deployment.env Additional environment variables to pass to containers +## @param deployment.terminationGracePeriodSeconds How long to wait until forcefully kill the pod +## @param deployment.labels Labels for the deployment +## @param deployment.annotations Annotations for the Gitea deployment to be created +deployment: + env: + [] + # - name: VARIABLE + # value: my-value + terminationGracePeriodSeconds: 60 + labels: {} + annotations: {} + +## @section ServiceAccount + +## @param serviceAccount.create Enable the creation of a ServiceAccount +## @param serviceAccount.name Name of the created ServiceAccount, defaults to release name. Can also link to an externally provided ServiceAccount that should be used. +## @param serviceAccount.automountServiceAccountToken Enable/disable auto mounting of the service account token +## @param serviceAccount.imagePullSecrets Image pull secrets, available to the ServiceAccount +## @param serviceAccount.annotations Custom annotations for the ServiceAccount +## @param serviceAccount.labels Custom labels for the ServiceAccount +serviceAccount: + create: false + name: "" + automountServiceAccountToken: false + imagePullSecrets: [] + # - name: private-registry-access + annotations: {} + labels: {} + +## @section Persistence +# +## @param persistence.enabled Enable persistent storage +## @param persistence.create Whether to create the persistentVolumeClaim for shared storage +## @param persistence.mount Whether the persistentVolumeClaim should be mounted (even if not created) +## @param persistence.claimName Use an existing claim to store repository information +## @param persistence.size Size for persistence to store repo information +## @param persistence.accessModes AccessMode for persistence +## @param persistence.labels Labels for the persistence volume claim to be created +## @param persistence.annotations.helm.sh/resource-policy Resource policy for the persistence volume claim +## @param persistence.storageClass Name of the storage class to use +## @param persistence.subPath Subdirectory of the volume to mount at +## @param persistence.volumeName Name of persistent volume in PVC +persistence: + enabled: true + create: true + mount: true + claimName: gitea-shared-storage + size: 10Gi + accessModes: + - ReadWriteOnce + labels: {} + storageClass: + subPath: + volumeName: "" + annotations: + helm.sh/resource-policy: keep + +## @param extraContainers Additional sidecar containers to run in the pod +extraContainers: [] +# - name: sidecar-bob +# image: busybox +# command: [/bin/sh, -c, 'echo "Hello world"; sleep 86400'] + +## @param extraVolumes Additional volumes to mount to the Gitea deployment +extraVolumes: [] +# - name: postgres-ssl-vol +# secret: +# secretName: gitea-postgres-ssl + +## @param extraContainerVolumeMounts Mounts that are only mapped into the Gitea runtime/main container, to e.g. override custom templates. +extraContainerVolumeMounts: [] + +## @param extraInitVolumeMounts Mounts that are only mapped into the init-containers. Can be used for additional preconfiguration. +extraInitVolumeMounts: [] + +## @deprecated The extraVolumeMounts variable has been split two: +## - extraContainerVolumeMounts +## - extraInitVolumeMounts +## As an example, can be used to mount a client cert when connecting to an external Postgres server. +## @param extraVolumeMounts **DEPRECATED** Additional volume mounts for init containers and the Gitea main container +extraVolumeMounts: [] +# - name: postgres-ssl-vol +# readOnly: true +# mountPath: "/pg-ssl" + +## @section Init +## @param initPreScript Bash shell script copied verbatim to the start of the init-container. +initPreScript: "" +## @param initContainersScriptsVolumeMountPath Path to mount the scripts consumed from the Secrets +initContainersScriptsVolumeMountPath: "/usr/sbinx" +# +# initPreScript: | +# mkdir -p /data/git/.postgresql +# cp /pg-ssl/* /data/git/.postgresql/ +# chown -R git:git /data/git/.postgresql/ +# chmod 400 /data/git/.postgresql/postgresql.key + +## @param initContainers.resources.limits initContainers.limits Kubernetes resource limits for init containers +## @param initContainers.resources.requests.cpu initContainers.requests.cpu Kubernetes cpu resource limits for init containers +## @param initContainers.resources.requests.memory initContainers.requests.memory Kubernetes memory resource limits for init containers +initContainers: + resources: + limits: {} + requests: + cpu: 100m + memory: 128Mi + +# Configure commit/action signing prerequisites +## @section Signing +# +## @param signing.enabled Enable commit/action signing +## @param signing.gpgHome GPG home directory +## @param signing.privateKey Inline private gpg key for signed internal Git activity +## @param signing.existingSecret Use an existing secret to store the value of `signing.privateKey` +signing: + enabled: false + gpgHome: /data/git/.gnupg + privateKey: "" + # privateKey: |- + # -----BEGIN PGP PRIVATE KEY BLOCK----- + # ... + # -----END PGP PRIVATE KEY BLOCK----- + existingSecret: "" + +## @section Gitea +# +gitea: + ## @param gitea.admin.username Username for the Gitea admin user + ## @param gitea.admin.existingSecret Use an existing secret to store admin user credentials + ## @param gitea.admin.password Password for the Gitea admin user + ## @param gitea.admin.email Email for the Gitea admin user + ## @param gitea.admin.passwordMode Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated + admin: + # existingSecret: gitea-admin-secret + existingSecret: + username: gitea_admin + password: r8sA8CPHD9!bt6d + email: "gitea@local.domain" + passwordMode: keepUpdated + + ## @param gitea.metrics.enabled Enable Gitea metrics + ## @param gitea.metrics.token used for `bearer` token authentication on metrics endpoint. If not specified or empty metrics endpoint is public. + ## @param gitea.metrics.serviceMonitor.enabled Enable Gitea metrics service monitor. Requires, that `gitea.metrics.enabled` is also set to true, to enable metrics generally. + ## @param gitea.metrics.serviceMonitor.interval Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used. + ## @param gitea.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping. + ## @param gitea.metrics.serviceMonitor.scheme HTTP scheme to use for scraping. For example `http` or `https`. Default is http. + ## @param gitea.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used. + ## @param gitea.metrics.serviceMonitor.tlsConfig TLS configuration to use when scraping the metric endpoint by Prometheus. + metrics: + enabled: false + token: + serviceMonitor: + enabled: false + # additionalLabels: + # prometheus-release: prom1 + interval: "" + relabelings: [] + scheme: "" + scrapeTimeout: "" + tlsConfig: {} + + ## @param gitea.ldap LDAP configuration + ldap: + [] + # - name: "LDAP 1" + # existingSecret: + # securityProtocol: + # host: + # port: + # userSearchBase: + # userFilter: + # adminFilter: + # emailAttribute: + # bindDn: + # bindPassword: + # usernameAttribute: + # publicSSHKeyAttribute: + + # Either specify inline `key` and `secret` or refer to them via `existingSecret` + ## @param gitea.oauth OAuth configuration + oauth: + [] + # - name: 'OAuth 1' + # provider: + # key: + # secret: + # existingSecret: + # autoDiscoverUrl: + # useCustomUrls: + # customAuthUrl: + # customTokenUrl: + # customProfileUrl: + # customEmailUrl: + + ## @param gitea.config.server.SSH_PORT SSH port for rootlful Gitea image + ## @param gitea.config.server.SSH_LISTEN_PORT SSH port for rootless Gitea image + config: + # APP_NAME: "Gitea: Git with a cup of tea" + # RUN_MODE: dev + server: + SSH_PORT: 22 # rootful image + SSH_LISTEN_PORT: 2222 # rootless image + # + # security: + # PASSWORD_COMPLEXITY: spec + + ## @param gitea.additionalConfigSources Additional configuration from secret or configmap + additionalConfigSources: [] + # - secret: + # secretName: gitea-app-ini-oauth + # - configMap: + # name: gitea-app-ini-plaintext + + ## @param gitea.additionalConfigFromEnvs Additional configuration sources from environment variables + additionalConfigFromEnvs: [] + + ## @param gitea.podAnnotations Annotations for the Gitea pod + podAnnotations: {} + + ## @param gitea.ssh.logLevel Configure OpenSSH's log level. Only available for root-based Gitea image. + ssh: + logLevel: "INFO" + + ## @section LivenessProbe + # + ## @param gitea.livenessProbe.enabled Enable liveness probe + ## @param gitea.livenessProbe.tcpSocket.port Port to probe for liveness + ## @param gitea.livenessProbe.initialDelaySeconds Initial delay before liveness probe is initiated + ## @param gitea.livenessProbe.timeoutSeconds Timeout for liveness probe + ## @param gitea.livenessProbe.periodSeconds Period for liveness probe + ## @param gitea.livenessProbe.successThreshold Success threshold for liveness probe + ## @param gitea.livenessProbe.failureThreshold Failure threshold for liveness probe + # Modify the liveness probe for your needs or completely disable it by commenting out. + livenessProbe: + enabled: true + tcpSocket: + port: http + initialDelaySeconds: 200 + timeoutSeconds: 1 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 10 + + ## @section ReadinessProbe + # + ## @param gitea.readinessProbe.enabled Enable readiness probe + ## @param gitea.readinessProbe.tcpSocket.port Port to probe for readiness + ## @param gitea.readinessProbe.initialDelaySeconds Initial delay before readiness probe is initiated + ## @param gitea.readinessProbe.timeoutSeconds Timeout for readiness probe + ## @param gitea.readinessProbe.periodSeconds Period for readiness probe + ## @param gitea.readinessProbe.successThreshold Success threshold for readiness probe + ## @param gitea.readinessProbe.failureThreshold Failure threshold for readiness probe + # Modify the readiness probe for your needs or completely disable it by commenting out. + readinessProbe: + enabled: true + tcpSocket: + port: http + initialDelaySeconds: 5 + timeoutSeconds: 1 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + + # # Uncomment the startup probe to enable and modify it for your needs. + ## @section StartupProbe + # + ## @param gitea.startupProbe.enabled Enable startup probe + ## @param gitea.startupProbe.tcpSocket.port Port to probe for startup + ## @param gitea.startupProbe.initialDelaySeconds Initial delay before startup probe is initiated + ## @param gitea.startupProbe.timeoutSeconds Timeout for startup probe + ## @param gitea.startupProbe.periodSeconds Period for startup probe + ## @param gitea.startupProbe.successThreshold Success threshold for startup probe + ## @param gitea.startupProbe.failureThreshold Failure threshold for startup probe + startupProbe: + enabled: false + tcpSocket: + port: http + initialDelaySeconds: 60 + timeoutSeconds: 1 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 10 + +## @section valkey-cluster +## @param valkey-cluster.enabled Enable valkey cluster +# ⚠️ The valkey charts do not work well with special characters in the password (). +# Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed. +## @param valkey-cluster.usePassword Whether to use password authentication +## @param valkey-cluster.usePasswordFiles Whether to mount passwords as files instead of environment variables +## @param valkey-cluster.cluster.nodes Number of valkey cluster master nodes +## @param valkey-cluster.cluster.replicas Number of valkey cluster master node replicas +## @param valkey-cluster.service.ports.valkey Port of Valkey service +## @descriptionStart +## Valkey cluster and [Valkey](#valkey) cannot be enabled at the same time. +## @descriptionEnd +valkey-cluster: + enabled: true + usePassword: false + usePasswordFiles: false + cluster: + nodes: 3 # default: 6 + replicas: 0 # default: 1 + service: + ports: + valkey: 6379 + +## @section valkey +## @param valkey.enabled Enable valkey standalone or replicated +## @param valkey.architecture Whether to use standalone or replication +# ⚠️ The valkey charts do not work well with special characters in the password (). +# Consider omitting such or open an issue in the Bitnami repo and let us know once this got fixed. +## @param valkey.global.valkey.password Required password +## @param valkey.master.count Number of Valkey master instances to deploy +## @param valkey.master.service.ports.valkey Port of Valkey service +## @descriptionStart +## Valkey and [Valkey cluster](#valkey-cluster) cannot be enabled at the same time. +## @descriptionEnd +valkey: + enabled: false + architecture: standalone + global: + valkey: + password: changeme + master: + count: 1 + service: + ports: + valkey: 6379 + +## @section PostgreSQL HA +# +## @param postgresql-ha.enabled Enable PostgreSQL HA +## @param postgresql-ha.postgresql.password Password for the `gitea` user (overrides `auth.password`) +## @param postgresql-ha.global.postgresql.database Name for a custom database to create (overrides `auth.database`) +## @param postgresql-ha.global.postgresql.username Name for a custom user to create (overrides `auth.username`) +## @param postgresql-ha.global.postgresql.password Name for a custom password to create (overrides `auth.password`) +## @param postgresql-ha.postgresql.repmgrPassword Repmgr Password +## @param postgresql-ha.postgresql.postgresPassword postgres Password +## @param postgresql-ha.pgpool.adminPassword pgpool adminPassword +## @param postgresql-ha.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`) +## @param postgresql-ha.persistence.size PVC Storage Request for PostgreSQL HA volume +postgresql-ha: + global: + postgresql: + database: gitea + password: gitea + username: gitea + enabled: true + postgresql: + repmgrPassword: changeme2 + postgresPassword: changeme1 + password: changeme4 + pgpool: + adminPassword: changeme3 + service: + ports: + postgresql: 5432 + persistence: + size: 10Gi + +## @section PostgreSQL +# +## @param postgresql.enabled Enable PostgreSQL +## @param postgresql.global.postgresql.auth.password Password for the `gitea` user (overrides `auth.password`) +## @param postgresql.global.postgresql.auth.database Name for a custom database to create (overrides `auth.database`) +## @param postgresql.global.postgresql.auth.username Name for a custom user to create (overrides `auth.username`) +## @param postgresql.global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`) +## @param postgresql.primary.persistence.size PVC Storage Request for PostgreSQL volume +postgresql: + enabled: false + global: + postgresql: + auth: + password: gitea + database: gitea + username: gitea + service: + ports: + postgresql: 5432 + primary: + persistence: + size: 10Gi + +# By default, removed or moved settings that still remain in a user defined values.yaml will cause Helm to fail running the install/update. +# Set it to false to skip this basic validation check. +## @section Advanced +## @param checkDeprecation Set it to false to skip this basic validation check. +## @param test.enabled Set it to false to disable test-connection Pod. +## @param test.image.name Image name for the wget container used in the test-connection Pod. +## @param test.image.tag Image tag for the wget container used in the test-connection Pod. +checkDeprecation: true +test: + enabled: true + image: + name: busybox + tag: latest + +## @param extraDeploy Array of extra objects to deploy with the release +## +extraDeploy: [] diff --git a/manifests/gitea-bitnami/values.yaml b/manifests/gitea-bitnami/values.yaml deleted file mode 100644 index 111da56..0000000 --- a/manifests/gitea-bitnami/values.yaml +++ /dev/null @@ -1,69 +0,0 @@ -# gitea-bitnami values.yaml - -ingress: - enabled: true - className: traefik - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: websecure - traefik.ingress.kubernetes.io/router.tls: "true" - hostname: git.dvirlabs.com - extraHosts: [] - tls: [] - pathType: ImplementationSpecific - - -postgresql-ha: - enabled: false - -postgresql: - enabled: true - auth: - username: gitea - password: gitea - database: gitea - primary: - persistence: - size: 10Gi - tolerations: - - key: "node.kubernetes.io/disk-pressure" - operator: "Exists" - effect: "NoSchedule" - namespaceOverride: dev-tools - -persistence: - enabled: true - size: 5Gi - accessModes: - - ReadWriteOnce - -gitea: - config: - OAUTH2_JWT_SECRET: "randomstring" - additionalEnvVars: - - name: GITEA__oauth__0__client_secret - valueFrom: - secretKeyRef: - name: gitea-keycloak-secret - key: client-secret - oauth: - - name: Keycloak - provider: openidConnect - key: gitea - autoDiscoverUrl: https://keycloak.dvirlabs.com/realms/lab/.well-known/openid-configuration - scopes: openid profile email - groupClaimName: groups - adminGroup: gitea-admins - restrictedGroup: gitea-users - - -service: - type: ClusterIP - - readinessProbe: - enabled: false - -namespace: - enabled: false - -nodeSelector: - node-role.kubernetes.io/worker: "true" \ No newline at end of file diff --git a/manifests/gitea/values.yaml b/manifests/gitea/values.yaml new file mode 100644 index 0000000..e69de29