From 564ec57cc72b4f11c7ada13dd56f4163222ceabf Mon Sep 17 00:00:00 2001 From: David Landry Date: Mon, 7 Jul 2025 13:21:20 -0400 Subject: [PATCH] chore(forgejo): update chart Chart version 12.5.3 App version 11.0.2 --- bootstrap/forgejo/values.yaml | 212 +++++++++++++++++++++++++++++++--- 1 file changed, 199 insertions(+), 13 deletions(-) diff --git a/bootstrap/forgejo/values.yaml b/bootstrap/forgejo/values.yaml index 44afc1f..d1e08dd 100644 --- a/bootstrap/forgejo/values.yaml +++ b/bootstrap/forgejo/values.yaml @@ -1,6 +1,24 @@ # Default values for gitea. # This is a YAML-formatted file. # Declare variables to be passed into your templates. +## @section Global +# +## @param global.imageRegistry global image registry override +## @param global.imagePullSecrets global image pull secrets override; can be extended by `imagePullSecrets` +## @param global.storageClass global storage class override +## @param global.hostAliases global hostAliases which will be added to the pod's hosts files +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + storageClass: "" + hostAliases: [] + # - ip: 192.168.137.2 + # hostnames: + # - example.com ## @param namespaceOverride String to fully override common.names.namespace ## @@ -28,14 +46,17 @@ clusterDomain: cluster.local ## @param image.tag Visit: [Image tag](https://code.forgejo.org/forgejo/-/packages/container/forgejo/versions). Defaults to `appVersion` within Chart.yaml. ## @param image.digest Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest` ## @param image.pullPolicy Image pull policy -## @param image.rootless Wether or not to pull the rootless version of Forgejo +## @param image.rootless Whether or not to pull the rootless version of Forgejo ## @param image.fullOverride Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).** image: registry: code.forgejo.org repository: forgejo/forgejo - pullPolicy: IfNotPresent + pullPolicy: Always rootless: true +## @param imagePullSecrets Secret to use for pulling the image +imagePullSecrets: [] + ## @section Security # Security context is only usable with rootless image due to image design ## @param podSecurityContext.fsGroup Set the shared file system group for all containers in the pod. @@ -61,6 +82,12 @@ containerSecurityContext: {} # runAsNonRoot: true # runAsUser: 1000 +## @deprecated The securityContext variable has been split two: +## - containerSecurityContext +## - podSecurityContext. +## @param securityContext Run init and Forgejo containers as a specific securityContext +securityContext: {} + ## @param podDisruptionBudget Pod disruption budget podDisruptionBudget: minAvailable: 1 @@ -75,11 +102,12 @@ service: ## @param service.http.externalTrafficPolicy If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation ## @param service.http.externalIPs External IPs for service ## @param service.http.ipFamilyPolicy HTTP service dual-stack policy - ## @param service.http.ipFamilies HTTP service dual-stack familiy selection,for dual-stack parameters see official kubernetes [dual-stack concept documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/). + ## @param service.http.ipFamilies HTTP service dual-stack family selection,for dual-stack parameters see official kubernetes [dual-stack concept documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/). ## @param service.http.loadBalancerSourceRanges Source range filter for http loadbalancer ## @param service.http.annotations HTTP service annotations ## @param service.http.labels HTTP service additional labels ## @param service.http.loadBalancerClass Loadbalancer class + ## @param service.http.extraPorts Additional ports http: type: ClusterIP port: 3000 @@ -94,6 +122,7 @@ service: annotations: {} labels: {} loadBalancerClass: + extraPorts: [] ## @param service.ssh.type Kubernetes service type for ssh traffic ## @param service.ssh.port Port number for ssh traffic ## @param service.ssh.clusterIP ClusterIP setting for ssh autosetup for deployment @@ -102,7 +131,7 @@ service: ## @param service.ssh.externalTrafficPolicy If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation ## @param service.ssh.externalIPs External IPs for service ## @param service.ssh.ipFamilyPolicy SSH service dual-stack policy - ## @param service.ssh.ipFamilies SSH service dual-stack familiy selection,for dual-stack parameters see official kubernetes [dual-stack concept documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/). + ## @param service.ssh.ipFamilies SSH service dual-stack family selection,for dual-stack parameters see official kubernetes [dual-stack concept documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/). ## @param service.ssh.hostPort HostPort for ssh service ## @param service.ssh.loadBalancerSourceRanges Source range filter for ssh loadbalancer ## @param service.ssh.annotations SSH service annotations @@ -131,11 +160,12 @@ service: ## @param ingress.hosts[0].host Default Ingress host ## @param ingress.hosts[0].paths[0].path Default Ingress path ## @param ingress.hosts[0].paths[0].pathType Ingress path type +## @param ingress.hosts[0].paths[0].port Target port for Ingress ## @param ingress.tls Ingress tls settings ingress: # className: nginx annotations: - cert-manager.io/cluster-issuer: letsencrypt-issuer + cert-manager.io/cluster-issuer: letsencrypt-issuer-dns01 enabled: true hosts: - host: git.nc.landry.land @@ -146,12 +176,89 @@ ingress: paths: - path: / pathType: Prefix + port: http tls: - hosts: - git.nc.landry.land - git.mgmt-k8s.nc.landry.land secretName: forgejo-tls +# Enables Gateway API HTTPRoute as a replacement for traditional Ingress resources +## @section Gateway-API HTTPRoute +## @param httpRoute.enabled Enables Gateway API HTTPRoute as a replacement for traditional Ingress resources +## @param httpRoute.annotations Annotations to add to the HTTPRoute resource +## @param httpRoute.parentRefs List of parentRefs for the HTTPRoute, typically referencing the Gateway(name, namespace) +## @param httpRoute.hostnames Hostnames this HTTPRoute applies to +## @param httpRoute.matches.path.type Type of path match (e.g., PathPrefix or Exact or RegularExpression) +## @param httpRoute.matches.path.value Path value for matching incoming requests +## @param httpRoute.matches.timeouts Object containing timeouts. +## @param httpRoute.filters Filters to apply on HTTP requests, such as header rewrites or request redirects +httpRoute: + enabled: false + annotations: {} + parentRefs: + [] + # - name: contour #name of the gateway resource + # namespace: projectcontour #name space where gateway resource running + hostnames: [] + # - my-filter.example.com + matches: + path: + type: PathPrefix + value: "/" + timeouts: + {} + # request: 10s #Maximum time the Gateway waits to complete the full client request and response cycle. + # backendRequest: 10s # Maximum time the Gateway waits for a response from the backend service. + filters: [] + # - type: RequestHeaderModifier + # requestHeaderModifier: + # set: + # - name: X-Forwarded-Proto + # value: https + +## @section Route +## @param route.enabled Enable route +## @param route.annotations Route annotations +## @param route.host Host to use for the route (will be assigned automatically by OKD / OpenShift is not defined) +## @param route.wildcardPolicy Wildcard policy if any for the route, currently only 'Subdomain' or 'None' is allowed. +## @param route.tls.termination termination type (see [OKD documentation](https://docs.okd.io/latest/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls)) +## @param route.tls.insecureEdgeTerminationPolicy the desired behavior for insecure connections to a route (e.g. with http) +## @param route.tls.existingSecret the name of a predefined secret of type kubernetes.io/tls with both key (tls.crt and tls.key) set accordingly (if defined attributes 'certificate', 'caCertificate' and 'privateKey' are ignored) +## @param route.tls.certificate PEM encoded single certificate +## @param route.tls.privateKey PEM encoded private key +## @param route.tls.caCertificate PEM encoded CA certificate or chain that issued the certificate +## @param route.tls.destinationCACertificate PEM encoded CA certificate used to verify the authenticity of final end point when 'termination' is set to 'passthrough' (ignored otherwise) +route: + enabled: false + annotations: {} + host: + wildcardPolicy: + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect + existingSecret: + certificate: + # certificate: |- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + privateKey: + # privateKey: |- + # -----BEGIN PRIVATE KEY----- + # ... + # -----END PRIVATE KEY----- + caCertificate: + # caCertificate: |- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + destinationCACertificate: + # destinationCACertificate: |- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + ## @section deployment # ## @param resources Kubernetes resources @@ -163,6 +270,43 @@ resources: cpu: 100m memory: 128Mi +## Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +## @param schedulerName Use an alternate scheduler, e.g. "stork" +schedulerName: "" + +## @param nodeSelector NodeSelector for the deployment +nodeSelector: {} + +## @param tolerations Tolerations for the deployment +tolerations: [] + +## @param affinity Affinity for the deployment +affinity: {} + +## @param topologySpreadConstraints TopologySpreadConstraints for the deployment +topologySpreadConstraints: [] + +## @param dnsConfig dnsConfig for the deployment +dnsConfig: {} + +## @param priorityClassName priorityClassName for the deployment +priorityClassName: "" + +## @param deployment.env Additional environment variables to pass to containers +## @param deployment.terminationGracePeriodSeconds How long to wait until forcefully kill the pod +## @param deployment.labels Labels for the deployment +## @param deployment.annotations Annotations for the Forgejo deployment to be created +deployment: + env: + [] + # - name: VARIABLE + # value: my-value + terminationGracePeriodSeconds: 60 + labels: {} + annotations: {} + ## @section ServiceAccount ## @param serviceAccount.create Enable the creation of a ServiceAccount @@ -206,6 +350,12 @@ persistence: annotations: helm.sh/resource-policy: keep +## @param extraContainers Additional sidecar containers to run in the pod +extraContainers: [] +# - name: sidecar-bob +# image: busybox +# command: [/bin/sh, -c, 'echo "Hello world"; sleep 86400'] + ## @param extraVolumes Additional volumes to mount to the Forgejo deployment extraVolumes: [] # - name: postgres-ssl-vol @@ -215,7 +365,28 @@ extraVolumes: [] ## @param extraContainerVolumeMounts Mounts that are only mapped into the Forgejo runtime/main container, to e.g. override custom templates. extraContainerVolumeMounts: [] +## @param extraInitVolumeMounts Mounts that are only mapped into the init-containers. Can be used for additional preconfiguration. +extraInitVolumeMounts: [] + +## @deprecated The extraVolumeMounts variable has been split two: +## - extraContainerVolumeMounts +## - extraInitVolumeMounts +## As an example, can be used to mount a client cert when connecting to an external Postgres server. +## @param extraVolumeMounts **DEPRECATED** Additional volume mounts for init containers and the Forgejo main container +extraVolumeMounts: [] +# - name: postgres-ssl-vol +# readOnly: true +# mountPath: "/pg-ssl" + ## @section Init +## @param initPreScript Bash shell script copied verbatim to the start of the init-container. +initPreScript: "" +# +# initPreScript: | +# mkdir -p /data/git/.postgresql +# cp /pg-ssl/* /data/git/.postgresql/ +# chown -R git:git /data/git/.postgresql/ +# chmod 400 /data/git/.postgresql/postgresql.key ## @param initContainers.resources.limits initContainers.limits Kubernetes resource limits for init containers ## @param initContainers.resources.requests.cpu initContainers.requests.cpu Kubernetes cpu resource limits for init containers @@ -254,7 +425,7 @@ gitea: ## @param gitea.admin.passwordMode Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated admin: username: davad - password: r8sdA8CPHD9!bt6d + password: r8sA8CPHD9!bt6d email: "me@davad.me" passwordMode: initialOnlyRequireReset @@ -304,13 +475,17 @@ gitea: ## @param gitea.additionalConfigSources Additional configuration from secret or configmap additionalConfigSources: [] - # - configMap: - # name: gitea-app-ini-plaintext # - secret: # secretName: gitea-app-ini-oauth # - configMap: # name: gitea-app-ini-plaintext + ## @param gitea.additionalConfigFromEnvs Additional configuration sources from environment variables + additionalConfigFromEnvs: [] + + ## @param gitea.podAnnotations Annotations for the Forgejo pod + podAnnotations: {} + ## @param gitea.ssh.logLevel Configure OpenSSH's log level. Only available for root-based Forgejo image. ssh: logLevel: "INFO" @@ -526,7 +701,7 @@ gitea: enabled: false tcpSocket: port: http - initialDelaySeconds: 200 + initialDelaySeconds: 60 timeoutSeconds: 1 periodSeconds: 10 successThreshold: 1 @@ -564,6 +739,9 @@ redis-cluster: redis: enabled: true architecture: standalone + global: + redis: + password: changeme master: count: 1 @@ -582,7 +760,7 @@ redis: ## @param postgresql-ha.postgresql.postgresPassword postgres Password ## @param postgresql-ha.pgpool.adminPassword pgpool adminPassword ## @param postgresql-ha.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`) -## @param postgresql-ha.primary.persistence.size PVC Storage Request for PostgreSQL HA volume +## @param postgresql-ha.persistence.size PVC Storage Request for PostgreSQL HA volume postgresql-ha: enabled: false global: @@ -599,9 +777,8 @@ postgresql-ha: service: ports: postgresql: 5432 - primary: - persistence: - size: 10Gi + persistence: + size: 10Gi ## @section PostgreSQL ## @descriptionStart @@ -617,6 +794,15 @@ postgresql-ha: ## @param postgresql.primary.persistence.size PVC Storage Request for PostgreSQL volume postgresql: enabled: true + global: + postgresql: + auth: + password: gitea + database: gitea + username: gitea + service: + ports: + postgresql: 5432 primary: persistence: size: 10Gi