diff --git a/.markdownlint.yaml b/.markdownlint.yaml index 6cf752c..a67574a 100644 --- a/.markdownlint.yaml +++ b/.markdownlint.yaml @@ -135,6 +135,8 @@ MD044: - MySQL - Memcached - Prometheus + - Git + - GitOps # Include code blocks code_blocks: false @@ -146,4 +148,4 @@ MD046: # MD048/code-fence-style - Code fence style MD048: # Code fence syle - style: "backtick" \ No newline at end of file + style: "backtick" diff --git a/README.md b/README.md index 3b5efd0..c544e37 100644 --- a/README.md +++ b/README.md @@ -272,6 +272,52 @@ The Prometheus `/metrics` endpoint is disabled by default. ENABLED = false ``` +### Additional _app.ini_ settings + +> **The [generic](https://docs.gitea.io/en-us/config-cheat-sheet/#overall-default) +section cannot be defined that way.** + +Some settings inside _app.ini_ (like passwords or whole authentication configurations) +must be considered sensitive and therefore should not be passed via plain text +inside the _values.yaml_ file. In times of _GitOps_ the values.yaml could be stored +in a Git repository where sensitive data should never be accessible. + +The Helm Chart supports this approach and let the user define custom sources like +Kubernetes Secrets to be loaded as environment variables during _app.ini_ creation +or update. + +```yaml +gitea: + additionalConfigSources: + - secret: + secretName: gitea-app-ini-oauth + - configMap: + name: gitea-app-ini-plaintext +``` + +This would mount the two additional volumes (`oauth` and `some-additionals`) +from different sources to the init containerwhere the _app.ini_ gets updated. +All files mounted that way will be read and converted to environment variables +and then added to the _app.ini_ using [environment-to-ini](https://github.com/go-gitea/gitea/tree/main/contrib/environment-to-ini). + +The key of such additional source represents the section inside the _app.ini_. +The value for each key can be multiline ini-like definitions. + +In example, the referenced `gitea-app-ini-plaintext` could look like this. + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: gitea-app-ini-plaintext +data: + session: | + PROVIDER=memory + SAME_SITE=strict + cron.archive_cleanup: | + ENABLED=true +``` + ### External Database An external Database can be used instead of builtIn PostgreSQL or MySQL. diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 42b8bed..fcb3874 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -155,3 +155,157 @@ app.kubernetes.io/instance: {{ .Release.Name }} {{- end -}} {{- end -}} {{- end -}} + +{{- define "gitea.inline_configuration" -}} + {{- include "gitea.inline_configuration.init" . -}} + {{- include "gitea.inline_configuration.defaults" . -}} + + {{- $generals := list -}} + {{- $inlines := dict -}} + + {{- range $key, $value := .Values.gitea.config }} + {{- if kindIs "map" $value }} + {{- if gt (len $value) 0 }} + {{- $section := default list (get $inlines $key) -}} + {{- range $n_key, $n_value := $value }} + {{- $section = append $section (printf "%s=%v" $n_key $n_value) -}} + {{- end }} + {{- $_ := set $inlines $key (join "\n" $section) -}} + {{- end -}} + {{- else }} + {{- if or (eq $key "APP_NAME") (eq $key "RUN_USER") (eq $key "RUN_MODE") -}} + {{- $generals = append $generals (printf "%s=%s" $key $value) -}} + {{- else -}} + {{- (printf "Key %s cannot be on top level of configuration" $key) | fail -}} + {{- end -}} + {{- end }} + {{- end }} + + {{- $_ := set $inlines "_generals_" (join "\n" $generals) -}} + {{- toYaml $inlines -}} +{{- end -}} + +{{- define "gitea.inline_configuration.init" -}} + {{- if not (hasKey .Values.gitea.config "cache") -}} + {{- $_ := set .Values.gitea.config "cache" dict -}} + {{- end -}} + {{- if not (hasKey .Values.gitea.config "server") -}} + {{- $_ := set .Values.gitea.config "server" dict -}} + {{- end -}} + {{- if not (hasKey .Values.gitea.config "metrics") -}} + {{- $_ := set .Values.gitea.config "metrics" dict -}} + {{- end -}} + {{- if not (hasKey .Values.gitea.config "database") -}} + {{- $_ := set .Values.gitea.config "database" dict -}} + {{- end -}} + {{- if not (hasKey .Values.gitea.config "security") -}} + {{- $_ := set .Values.gitea.config "security" dict -}} + {{- end -}} + {{- if not .Values.gitea.config.repository -}} + {{- $_ := set .Values.gitea.config "repository" dict -}} + {{- end -}} + {{- if not (hasKey .Values.gitea.config "oauth2") -}} + {{- $_ := set .Values.gitea.config "oauth2" dict -}} + {{- end -}} +{{- end -}} + +{{- define "gitea.inline_configuration.defaults" -}} + {{- include "gitea.inline_configuration.defaults.server" . -}} + {{- include "gitea.inline_configuration.defaults.database" . -}} + + {{- if not .Values.gitea.config.repository.ROOT -}} + {{- $_ := set .Values.gitea.config.repository "ROOT" "/data/git/gitea-repositories" -}} + {{- end -}} + {{- if not .Values.gitea.config.security.INSTALL_LOCK -}} + {{- $_ := set .Values.gitea.config.security "INSTALL_LOCK" "true" -}} + {{- end -}} + {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}} + {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}} + {{- end -}} + {{- if .Values.gitea.cache.builtIn.enabled -}} + {{- $_ := set .Values.gitea.config.cache "ENABLED" "true" -}} + {{- $_ := set .Values.gitea.config.cache "ADAPTER" "memcache" -}} + {{- if not (.Values.gitea.config.cache.HOST) -}} + {{- $_ := set .Values.gitea.config.cache "HOST" (include "memcached.dns" .) -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "gitea.inline_configuration.defaults.server" -}} + {{- if not (hasKey .Values.gitea.config.server "HTTP_PORT") -}} + {{- $_ := set .Values.gitea.config.server "HTTP_PORT" .Values.service.http.port -}} + {{- end -}} + {{- if not .Values.gitea.config.server.PROTOCOL -}} + {{- $_ := set .Values.gitea.config.server "PROTOCOL" "http" -}} + {{- end -}} + {{- if not (.Values.gitea.config.server.DOMAIN) -}} + {{- if gt (len .Values.ingress.hosts) 0 -}} + {{- $_ := set .Values.gitea.config.server "DOMAIN" (index .Values.ingress.hosts 0).host -}} + {{- else -}} + {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}} + {{- end -}} + {{- end -}} + {{- if not .Values.gitea.config.server.ROOT_URL -}} + {{- if .Values.ingress.enabled -}} + {{- if gt (len .Values.ingress.tls) 0 -}} + {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index (index .Values.ingress.tls 0).hosts 0)) -}} + {{- else -}} + {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index .Values.ingress.hosts 0).host) -}} + {{- end -}} + {{- else -}} + {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL .Values.gitea.config.server.DOMAIN) -}} + {{- end -}} + {{- end -}} + {{- if not .Values.gitea.config.server.SSH_DOMAIN -}} + {{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}} + {{- end -}} + {{- if not .Values.gitea.config.server.SSH_PORT -}} + {{- $_ := set .Values.gitea.config.server "SSH_PORT" .Values.service.ssh.port -}} + {{- end -}} + {{- if not (hasKey .Values.gitea.config.server "SSH_LISTEN_PORT") -}} + {{- if not .Values.image.rootless -}} + {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" .Values.gitea.config.server.SSH_PORT -}} + {{- else -}} + {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" "2222" -}} + {{- end -}} + {{- end -}} + {{- if not (hasKey .Values.gitea.config.server "START_SSH_SERVER") -}} + {{- if .Values.image.rootless -}} + {{- $_ := set .Values.gitea.config.server "START_SSH_SERVER" "true" -}} + {{- end -}} + {{- end -}} + {{- if not (hasKey .Values.gitea.config.server "APP_DATA_PATH") -}} + {{- $_ := set .Values.gitea.config.server "APP_DATA_PATH" "/data" -}} + {{- end -}} + {{- if not (hasKey .Values.gitea.config.server "ENABLE_PPROF") -}} + {{- $_ := set .Values.gitea.config.server "ENABLE_PPROF" false -}} + {{- end -}} +{{- end -}} + +{{- define "gitea.inline_configuration.defaults.database" -}} + {{- if .Values.gitea.database.builtIn.postgresql.enabled -}} + {{- $_ := set .Values.gitea.config.database "DB_TYPE" "postgres" -}} + {{- if not (.Values.gitea.config.database.HOST) -}} + {{- $_ := set .Values.gitea.config.database "HOST" (include "postgresql.dns" .) -}} + {{- end -}} + {{- $_ := set .Values.gitea.config.database "NAME" .Values.postgresql.global.postgresql.postgresqlDatabase -}} + {{- $_ := set .Values.gitea.config.database "USER" .Values.postgresql.global.postgresql.postgresqlUsername -}} + {{- $_ := set .Values.gitea.config.database "PASSWD" .Values.postgresql.global.postgresql.postgresqlPassword -}} + {{- else if .Values.gitea.database.builtIn.mysql.enabled -}} + {{- $_ := set .Values.gitea.config.database "DB_TYPE" "mysql" -}} + {{- if not (.Values.gitea.config.database.HOST) -}} + {{- $_ := set .Values.gitea.config.database "HOST" (include "mysql.dns" .) -}} + {{- end -}} + {{- $_ := set .Values.gitea.config.database "NAME" .Values.mysql.db.name -}} + {{- $_ := set .Values.gitea.config.database "USER" .Values.mysql.db.user -}} + {{- $_ := set .Values.gitea.config.database "PASSWD" .Values.mysql.db.password -}} + {{- else if .Values.gitea.database.builtIn.mariadb.enabled -}} + {{- $_ := set .Values.gitea.config.database "DB_TYPE" "mysql" -}} + {{- if not (.Values.gitea.config.database.HOST) -}} + {{- $_ := set .Values.gitea.config.database "HOST" (include "mariadb.dns" .) -}} + {{- end -}} + {{- $_ := set .Values.gitea.config.database "NAME" .Values.mariadb.auth.database -}} + {{- $_ := set .Values.gitea.config.database "USER" .Values.mariadb.auth.username -}} + {{- $_ := set .Values.gitea.config.database "PASSWD" .Values.mariadb.auth.password -}} + {{- end -}} +{{- end -}} diff --git a/templates/gitea/config.yaml b/templates/gitea/config.yaml index 3eca2a0..78bceab 100644 --- a/templates/gitea/config.yaml +++ b/templates/gitea/config.yaml @@ -1,5 +1,15 @@ apiVersion: v1 kind: Secret +metadata: + name: {{ include "gitea.fullname" . }}-inline-config + labels: + {{- include "gitea.labels" . | nindent 4 }} +type: Opaque +stringData: + {{- include "gitea.inline_configuration" . | nindent 2 }} +--- +apiVersion: v1 +kind: Secret metadata: name: {{ include "gitea.fullname" . }} labels: @@ -10,160 +20,105 @@ stringData: #!/usr/bin/env bash set -euo pipefail - {{- if not (hasKey .Values.gitea.config "cache") -}} - {{- $_ := set .Values.gitea.config "cache" dict -}} - {{- end -}} + function env2ini::log() { + printf "${1}\n" + } - {{- if not (hasKey .Values.gitea.config "server") -}} - {{- $_ := set .Values.gitea.config "server" dict -}} - {{- end -}} + function env2ini::read_config_to_env() { + local section="${1}" + local line="${2}" - {{- if not (hasKey .Values.gitea.config "metrics") -}} - {{- $_ := set .Values.gitea.config "metrics" dict -}} - {{- end -}} + if [[ -z "${line}" ]]; then + # skip empty line + return + fi + + # 'xargs echo -n' trims all leading/trailing whitespaces and a trailing new line + local setting="$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)" - {{- if not (hasKey .Values.gitea.config "database") -}} - {{- $_ := set .Values.gitea.config "database" dict -}} - {{- end -}} + if [[ -z "${setting}" ]]; then + env2ini::log ' ! invalid setting' + exit 1 + fi - {{- if not (hasKey .Values.gitea.config "security") -}} - {{- $_ := set .Values.gitea.config "security" dict -}} - {{- end -}} + local value='' + local regex="^${setting}(\s*)=(\s*)(.*)" + if [[ $line =~ $regex ]]; then + value="${BASH_REMATCH[3]}" + else + env2ini::log ' ! invalid setting' + exit 1 + fi - {{- if not .Values.gitea.config.repository -}} - {{- $_ := set .Values.gitea.config "repository" dict -}} - {{- end -}} + env2ini::log " + '${setting}'" - {{- if not (hasKey .Values.gitea.config "oauth2") -}} - {{- $_ := set .Values.gitea.config "oauth2" dict -}} - {{- end -}} + if [[ -z "${section}" ]]; then + export "ENV_TO_INI____${setting^^}=${value}" # '^^' makes the variable content uppercase + return + fi - {{- /* repository default settings */ -}} - {{- if not .Values.gitea.config.repository.ROOT -}} - {{- $_ := set .Values.gitea.config.repository "ROOT" "/data/git/gitea-repositories" -}} - {{- end -}} + local masked_section="${section//./_0X2E_}" # '//' instructs to replace all matches + masked_section="${masked_section//-/_0X2D_}" - {{- /* security default settings */ -}} - {{- if not .Values.gitea.config.security.INSTALL_LOCK -}} - {{- $_ := set .Values.gitea.config.security "INSTALL_LOCK" "true" -}} - {{- end -}} + export "ENV_TO_INI__${masked_section^^}__${setting^^}=${value}" # '^^' makes the variable content uppercase + } - {{- /* server default settings */ -}} - {{- if not (hasKey .Values.gitea.config.server "HTTP_PORT") -}} - {{- $_ := set .Values.gitea.config.server "HTTP_PORT" .Values.service.http.port -}} - {{- end -}} - {{- if not .Values.gitea.config.server.PROTOCOL -}} - {{- $_ := set .Values.gitea.config.server "PROTOCOL" "http" -}} - {{- end -}} - {{- if not (.Values.gitea.config.server.DOMAIN) -}} - {{- if gt (len .Values.ingress.hosts) 0 -}} - {{- $_ := set .Values.gitea.config.server "DOMAIN" (index .Values.ingress.hosts 0).host -}} - {{- else -}} - {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}} - {{- end -}} - {{- end -}} - {{- if not .Values.gitea.config.server.ROOT_URL -}} - {{- if .Values.ingress.enabled -}} - {{- if gt (len .Values.ingress.tls) 0 -}} - {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index (index .Values.ingress.tls 0).hosts 0)) -}} - {{- else -}} - {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index .Values.ingress.hosts 0).host) -}} - {{- end -}} - {{- else -}} - {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL .Values.gitea.config.server.DOMAIN) -}} - {{- end -}} - {{- end -}} - {{- if not .Values.gitea.config.server.SSH_DOMAIN -}} - {{- $_ := set .Values.gitea.config.server "SSH_DOMAIN" .Values.gitea.config.server.DOMAIN -}} - {{- end -}} - {{- if not .Values.gitea.config.server.SSH_PORT -}} - {{- $_ := set .Values.gitea.config.server "SSH_PORT" .Values.service.ssh.port -}} - {{- end -}} - {{- if not (hasKey .Values.gitea.config.server "SSH_LISTEN_PORT") -}} - {{- if not .Values.image.rootless -}} - {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" .Values.gitea.config.server.SSH_PORT -}} - {{- else -}} - {{- $_ := set .Values.gitea.config.server "SSH_LISTEN_PORT" "2222" -}} - {{- end -}} - {{- end -}} - {{- if not (hasKey .Values.gitea.config.server "START_SSH_SERVER") -}} - {{- if .Values.image.rootless -}} - {{- $_ := set .Values.gitea.config.server "START_SSH_SERVER" "true" -}} - {{- end -}} - {{- end -}} - {{- if not (hasKey .Values.gitea.config.server "APP_DATA_PATH") -}} - {{- $_ := set .Values.gitea.config.server "APP_DATA_PATH" "/data" -}} - {{- end -}} - {{- if not (hasKey .Values.gitea.config.server "ENABLE_PPROF") -}} - {{- $_ := set .Values.gitea.config.server "ENABLE_PPROF" false -}} - {{- end -}} + function env2ini::process_config_file() { + local config_file="${1}" + local section="$(basename "${config_file}")" - {{- /* metrics default settings */ -}} - {{- if not (hasKey .Values.gitea.config.metrics "ENABLED") -}} - {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}} - {{- end -}} + if [[ $section == '_generals_' ]]; then + env2ini::log " [ini root]" + section='' + else + env2ini::log " ${section}" + fi - {{- /* database default settings */ -}} - {{- if .Values.gitea.database.builtIn.postgresql.enabled -}} - {{- $_ := set .Values.gitea.config.database "DB_TYPE" "postgres" -}} - {{- if not (.Values.gitea.config.database.HOST) -}} - {{- $_ := set .Values.gitea.config.database "HOST" (include "postgresql.dns" .) -}} - {{- end -}} - {{- $_ := set .Values.gitea.config.database "NAME" .Values.postgresql.global.postgresql.postgresqlDatabase -}} - {{- $_ := set .Values.gitea.config.database "USER" .Values.postgresql.global.postgresql.postgresqlUsername -}} - {{- $_ := set .Values.gitea.config.database "PASSWD" .Values.postgresql.global.postgresql.postgresqlPassword -}} - {{ else if .Values.gitea.database.builtIn.mysql.enabled -}} - {{- $_ := set .Values.gitea.config.database "DB_TYPE" "mysql" -}} - {{- if not (.Values.gitea.config.database.HOST) -}} - {{- $_ := set .Values.gitea.config.database "HOST" (include "mysql.dns" .) -}} - {{- end -}} - {{- $_ := set .Values.gitea.config.database "NAME" .Values.mysql.db.name -}} - {{- $_ := set .Values.gitea.config.database "USER" .Values.mysql.db.user -}} - {{- $_ := set .Values.gitea.config.database "PASSWD" .Values.mysql.db.password -}} - {{ else if .Values.gitea.database.builtIn.mariadb.enabled -}} - {{- $_ := set .Values.gitea.config.database "DB_TYPE" "mysql" -}} - {{- if not (.Values.gitea.config.database.HOST) -}} - {{- $_ := set .Values.gitea.config.database "HOST" (include "mariadb.dns" .) -}} - {{- end -}} - {{- $_ := set .Values.gitea.config.database "NAME" .Values.mariadb.auth.database -}} - {{- $_ := set .Values.gitea.config.database "USER" .Values.mariadb.auth.username -}} - {{- $_ := set .Values.gitea.config.database "PASSWD" .Values.mariadb.auth.password -}} - {{- end -}} + while read -r line; do + env2ini::read_config_to_env "${section}" "${line}" + done < <(awk 1 "${config_file}") # Helm .toYaml trims the trailing new line which breaks line processing; awk 1 ... adds it back while reading + } - {{- /* cache default settings */ -}} - {{- if .Values.gitea.cache.builtIn.enabled -}} - {{- $_ := set .Values.gitea.config.cache "ENABLED" "true" -}} - {{- $_ := set .Values.gitea.config.cache "ADAPTER" "memcache" -}} - {{- if not (.Values.gitea.config.cache.HOST) -}} - {{- $_ := set .Values.gitea.config.cache "HOST" (include "memcached.dns" .) -}} - {{- end -}} - {{- end -}} + function env2ini::load_config_sources() { + local path="${1}" - {{- if not (hasKey .Values.gitea.config.security "INTERNAL_TOKEN") }} - export ENV_TO_INI__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN) - {{- end }} - {{- if not (hasKey .Values.gitea.config.security "SECRET_KEY") }} - export ENV_TO_INI__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY) - {{- end }} - {{- if not (hasKey .Values.gitea.config.oauth2 "JWT_SECRET") }} - export ENV_TO_INI__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET) - {{- end }} + env2ini::log "Processing $(basename "${path}")..." - {{- /* autogenerate app.ini environment values */ -}} - {{- range $key, $value := .Values.gitea.config }} - {{- if kindIs "map" $value }} - {{- if gt (len $value) 0 }} - {{- range $n_key, $n_value := $value }} - export ENV_TO_INI__{{ $key | upper | replace "." "_0X2E_" | replace "-" "_0X2D_" }}__{{ $n_key | upper }}={{ $n_value }} - {{- end }} - {{- end }} - {{- else }} - export ENV_TO_INI__{{ $key | upper | replace "." "_0X2E_" | replace "-" "_0X2D_" }}__{{ $key | upper }}={{ $value }} - {{- end }} - {{- end }} + while read -d '' configFile; do + env2ini::process_config_file "${configFile}" + done < <(find "${path}" -type l -not -name '..data' -print0) + + env2ini::log "\n" + } + + function env2ini::generate_initial_secrets() { + # These environment variables will either be + # - overwritten with user defined values, + # - initially used to set up Gitea + # Anyway, they won't harm existing app.ini files + + export ENV_TO_INI__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN) + export ENV_TO_INI__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY) + export ENV_TO_INI__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET) + + env2ini::log "...Initial secrets generated\n" + } + + # MUST BE CALLED BEFORE OTHER CONFIGURATION + env2ini::generate_initial_secrets + + env2ini::load_config_sources '/env-to-ini-mounts/inlines/' + env2ini::load_config_sources '/env-to-ini-mounts/additionals/' + + env2ini::log "=== All configuration sources loaded ===\n" # safety to prevent rewrite of secret keys if an app.ini already exists if [ -f ${GITEA_APP_INI} ]; then + env2ini::log 'An app.ini file already exists. To prevent overwriting secret keys, these settings are dropped and remain unchanged:' + env2ini::log ' - security.INTERNAL_TOKEN' + env2ini::log ' - security.SECRET_KEY' + env2ini::log ' - oauth2.JWT_SECRET' + unset ENV_TO_INI__SECURITY__INTERNAL_TOKEN unset ENV_TO_INI__SECURITY__SECRET_KEY unset ENV_TO_INI__OAUTH2__JWT_SECRET diff --git a/templates/gitea/statefulset.yaml b/templates/gitea/statefulset.yaml index 6542296..b0385b4 100644 --- a/templates/gitea/statefulset.yaml +++ b/templates/gitea/statefulset.yaml @@ -97,6 +97,12 @@ spec: {{- if .Values.persistence.subPath }} subPath: {{ .Values.persistence.subPath }} {{- end }} + - name: inline-config-sources + mountPath: /env-to-ini-mounts/inlines/ + {{- range $idx, $value := .Values.gitea.additionalConfigSources }} + - name: additional-config-sources-{{ $idx }} + mountPath: "/env-to-ini-mounts/additionals/{{ $idx }}/" + {{- end }} {{- if .Values.extraVolumeMounts }} {{- toYaml .Values.extraVolumeMounts | nindent 12 }} {{- end }} @@ -284,6 +290,13 @@ spec: {{- if .Values.extraVolumes }} {{- toYaml .Values.extraVolumes | nindent 8 }} {{- end }} + - name: inline-config-sources + secret: + secretName: {{ include "gitea.fullname" . }}-inline-config + {{- range $idx, $value := .Values.gitea.additionalConfigSources }} + - name: additional-config-sources-{{ $idx }} + {{- toYaml $value | nindent 10 }} + {{- end }} - name: temp emptyDir: {} {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }} diff --git a/values.yaml b/values.yaml index d22ca52..610a765 100644 --- a/values.yaml +++ b/values.yaml @@ -205,6 +205,12 @@ gitea: # security: # PASSWORD_COMPLEXITY: spec + additionalConfigSources: [] + # - secret: + # secretName: gitea-app-ini-oauth + # - configMap: + # name: gitea-app-ini-plaintext + podAnnotations: {} database: