-
Notifications
You must be signed in to change notification settings - Fork 163
/
gitea.gotmpl
141 lines (126 loc) · 3.21 KB
/
gitea.gotmpl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
{{- $v := .Values }}
{{- $o := $v.oidc }}
{{- $g := $v.charts | get "gitea" dict }}
{{- $k := $v.charts | get "keycloak" dict }}
{{- $hasKeycloak := $k | get "enabled" true }}
{{- $realm := $k | get "realm" "master" }}
{{- $keycloakIssuer := printf "https://keycloak.%s/realms/%s" $v.cluster.domainSuffix $realm }}
{{- $giteaDomain := printf "gitea.%s" $v.cluster.domainSuffix }}
{{- $stage := $v.charts | get "cert-manager.stage" "production" }}
{{- $hasStagingCerts := eq $stage "staging" }}
nameOverride: gitea
fullnameOverride: gitea
# clusterDomain: {{ $v.cluster.domainSuffix }}
resources:
limits:
cpu: 1
memory: 1Gi
requests:
cpu: 100m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
image:
{{- with .Values.otomi | get "globalPullSecret" nil }}
imagePullSecrets:
- name: otomi-pullsecret-global
{{- end }}
tag: 1.14.2
pullPolicy: IfNotPresent
rootless: true
gitea:
admin:
username: otomi-admin
password: {{ $g | get "adminPassword" $v.otomi.adminPassword }}
config:
log:
LEVEL: trace
openid:
ENABLE_OPENID_SIGNIN: true
repository:
DEFAULT_BRANCH: main
{{- with $g | get "config" nil }}
{{- toYaml . | nindent 4}}
{{- end }}
server:
DOMAIN: {{ $giteaDomain }}
ROOT_URL: "https://{{ $giteaDomain }}/"
DISABLE_SSH: true
{{- if $hasStagingCerts }}
SKIP_TLS_VERIFY: true
webhook:
SKIP_TLS_VERIFY: true
{{- end }}
metrics:
enabled: true
serviceMonitor:
enabled: true
prometheusSelector: system
oauth:
enabled: true
name: {{ $hasKeycloak | ternary ($k | get "idp.alias" "otomi") "otomi" }}
provider: openidConnect
key: {{ $hasKeycloak | ternary $k.idp.clientID $o.clientID }}
secret: {{ $hasKeycloak | ternary $k.idp.clientSecret $o.clientSecret }}
autoDiscoverUrl: '{{ $hasKeycloak | ternary $keycloakIssuer $o.issuer }}/.well-known/openid-configuration'
init:
resources:
limits:
cpu: 250m
memory: 256Mi
requests:
cpu: 100m
memory: 128Mi
memcached:
resources:
limits:
cpu: 250m
memory: 256Mi
requests:
cpu: 100m
memory: 128Mi
persistence:
size: 1Gi
postgresql:
persistence:
size: 1Gi
global:
postgresql:
postgresqlPassword: {{ $g | get "postgresqlPassword" }}
postgresqlPostgresPassword: {{ $g | get "postgresqlPassword" }}
resources:
limits:
memory: 512Mi
cpu: 500m
requests:
memory: 256Mi
cpu: 250m
{{- if $hasStagingCerts }}
extraRootCA: |
{{- $v | get "customRootCa" $v.letsencryptRootCA | nindent 2 }}
{{- $v | get "customIntermediateCa" $v.letsencryptCA | nindent 2 }}
{{- end }}
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
initPreScript: |
echo "Waiting until keycloak service is accessible"
while ! nc -w2 -zv {{ printf "keycloak.%s" $v.cluster.domainSuffix }} 443; do
printf '.'
sleep 5
done
echo READY!
{{- with .Values.otomi | get "globalPullSecret" nil }}
global:
imagePullSecrets:
- otomi-pullsecret-global
{{- end }}