mirror of
https://pagure.io/fedora-infra/ansible.git
synced 2026-05-01 22:11:01 +08:00
72819f0f76
Disables the SSH server functionality in Forgejo to prevent SSH clone URLs from being displayed in the user interface. This aligns with the current policy of not supporting SSH cloning for repositories on this instance. Signed-off-by: Ryan Lerch <rlerch@redhat.com>
833 lines
31 KiB
Django/Jinja
833 lines
31 KiB
Django/Jinja
# Default values for gitea.
|
|
# This is a YAML-formatted file.
|
|
# Declare variables to be passed into your templates.
|
|
## @section Global
|
|
#
|
|
## @param global.imageRegistry global image registry override
|
|
## @param global.imagePullSecrets global image pull secrets override; can be extended by `imagePullSecrets`
|
|
## @param global.storageClass global storage class override
|
|
## @param global.hostAliases global hostAliases which will be added to the pod's hosts files
|
|
global:
|
|
imageRegistry: ''
|
|
## E.g.
|
|
## imagePullSecrets:
|
|
## - myRegistryKeySecretName
|
|
##
|
|
imagePullSecrets: []
|
|
storageClass: ''
|
|
hostAliases: []
|
|
# - ip: 192.168.137.2
|
|
# hostnames:
|
|
# - example.com
|
|
|
|
## @param namespaceOverride String to fully override common.names.namespace
|
|
##
|
|
namespaceOverride: ''
|
|
|
|
## @param replicaCount number of replicas for the deployment
|
|
replicaCount: 1
|
|
|
|
## @section strategy
|
|
## @param strategy.type strategy type
|
|
## @param strategy.rollingUpdate.maxSurge maxSurge
|
|
## @param strategy.rollingUpdate.maxUnavailable maxUnavailable
|
|
strategy:
|
|
type: 'RollingUpdate'
|
|
rollingUpdate:
|
|
maxSurge: '100%'
|
|
maxUnavailable: 0
|
|
|
|
## @param clusterDomain cluster domain
|
|
clusterDomain: cluster.local
|
|
|
|
## @section Image
|
|
## @param image.registry image registry, e.g. gcr.io,docker.io
|
|
## @param image.repository Image to start for this pod
|
|
## @param image.tag Visit: [Image tag](https://code.forgejo.org/forgejo/-/packages/container/forgejo/versions). Defaults to `appVersion` within Chart.yaml.
|
|
## @param image.digest Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`
|
|
## @param image.pullPolicy Image pull policy
|
|
## @param image.rootless Wether or not to pull the rootless version of Forgejo
|
|
## @param image.fullOverride Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).**
|
|
image:
|
|
registry: quay.io
|
|
repository: konflux-fedora/fedora-infra-tenant/forgejo-oci-images-main-stable
|
|
# Overrides the image tag whose default is the chart appVersion.
|
|
tag: 'latest'
|
|
digest: ''
|
|
pullPolicy: IfNotPresent
|
|
rootless: true
|
|
fullOverride: ''
|
|
|
|
## @param imagePullSecrets Secret to use for pulling the image
|
|
imagePullSecrets: []
|
|
|
|
## @section Security
|
|
# Security context is only usable with rootless image due to image design
|
|
## @param podSecurityContext.fsGroup Set the shared file system group for all containers in the pod.
|
|
podSecurityContext:
|
|
fsGroup: 1000
|
|
|
|
## @param containerSecurityContext Security context
|
|
containerSecurityContext: {}
|
|
# allowPrivilegeEscalation: false
|
|
# capabilities:
|
|
# drop:
|
|
# - ALL
|
|
# # Add the SYS_CHROOT capability for root and rootless images if you intend to
|
|
# # run pods on nodes that use the container runtime cri-o. Otherwise, you will
|
|
# # get an error message from the SSH server that it is not possible to read from
|
|
# # the repository.
|
|
# # https://gitea.com/gitea/helm-chart/issues/161
|
|
# add:
|
|
# - SYS_CHROOT
|
|
# privileged: false
|
|
# readOnlyRootFilesystem: true
|
|
# runAsGroup: 1000
|
|
# runAsNonRoot: true
|
|
# runAsUser: 1000
|
|
|
|
## @deprecated The securityContext variable has been split two:
|
|
## - containerSecurityContext
|
|
## - podSecurityContext.
|
|
## @param securityContext Run init and Forgejo containers as a specific securityContext
|
|
securityContext: {}
|
|
|
|
## @param podDisruptionBudget Pod disruption budget
|
|
podDisruptionBudget: {}
|
|
# maxUnavailable: 1
|
|
# minAvailable: 1
|
|
|
|
## @section Service
|
|
service:
|
|
## @param service.http.type Kubernetes service type for web traffic
|
|
## @param service.http.port Port number for web traffic
|
|
## @param service.http.clusterIP ClusterIP setting for http autosetup for deployment
|
|
## @param service.http.loadBalancerIP LoadBalancer IP setting
|
|
## @param service.http.nodePort NodePort for http service
|
|
## @param service.http.externalTrafficPolicy If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation
|
|
## @param service.http.externalIPs External IPs for service
|
|
## @param service.http.ipFamilyPolicy HTTP service dual-stack policy
|
|
## @param service.http.ipFamilies HTTP service dual-stack familiy selection,for dual-stack parameters see official kubernetes [dual-stack concept documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/).
|
|
## @param service.http.loadBalancerSourceRanges Source range filter for http loadbalancer
|
|
## @param service.http.annotations HTTP service annotations
|
|
## @param service.http.labels HTTP service additional labels
|
|
## @param service.http.loadBalancerClass Loadbalancer class
|
|
http:
|
|
type: ClusterIP
|
|
port: 3000
|
|
clusterIP:
|
|
loadBalancerIP:
|
|
nodePort:
|
|
externalTrafficPolicy:
|
|
externalIPs:
|
|
ipFamilyPolicy:
|
|
ipFamilies:
|
|
loadBalancerSourceRanges: []
|
|
annotations: {}
|
|
labels: {}
|
|
loadBalancerClass:
|
|
## @param service.ssh.type Kubernetes service type for ssh traffic
|
|
## @param service.ssh.port Port number for ssh traffic
|
|
## @param service.ssh.clusterIP ClusterIP setting for ssh autosetup for deployment
|
|
## @param service.ssh.loadBalancerIP LoadBalancer IP setting
|
|
## @param service.ssh.nodePort NodePort for ssh service
|
|
## @param service.ssh.externalTrafficPolicy If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation
|
|
## @param service.ssh.externalIPs External IPs for service
|
|
## @param service.ssh.ipFamilyPolicy SSH service dual-stack policy
|
|
## @param service.ssh.ipFamilies SSH service dual-stack familiy selection,for dual-stack parameters see official kubernetes [dual-stack concept documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/).
|
|
## @param service.ssh.hostPort HostPort for ssh service
|
|
## @param service.ssh.loadBalancerSourceRanges Source range filter for ssh loadbalancer
|
|
## @param service.ssh.annotations SSH service annotations
|
|
## @param service.ssh.labels SSH service additional labels
|
|
## @param service.ssh.loadBalancerClass Loadbalancer class
|
|
ssh:
|
|
type: ClusterIP
|
|
port: 22
|
|
clusterIP:
|
|
loadBalancerIP:
|
|
nodePort:
|
|
externalTrafficPolicy:
|
|
externalIPs:
|
|
ipFamilyPolicy:
|
|
ipFamilies:
|
|
hostPort:
|
|
loadBalancerSourceRanges: []
|
|
annotations: {}
|
|
labels: {}
|
|
loadBalancerClass:
|
|
|
|
## @section Ingress
|
|
## @param ingress.enabled Enable ingress
|
|
## @param ingress.className Ingress class name
|
|
## @param ingress.annotations Ingress annotations
|
|
## @param ingress.hosts[0].host Default Ingress host
|
|
## @param ingress.hosts[0].paths[0].path Default Ingress path
|
|
## @param ingress.hosts[0].paths[0].pathType Ingress path type
|
|
## @param ingress.tls Ingress tls settings
|
|
ingress:
|
|
enabled: false
|
|
# className: nginx
|
|
className:
|
|
annotations:
|
|
{}
|
|
# kubernetes.io/ingress.class: nginx
|
|
# kubernetes.io/tls-acme: "true"
|
|
hosts:
|
|
- host: git.example.com
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
tls: []
|
|
# - secretName: chart-example-tls
|
|
# hosts:
|
|
# - git.example.com
|
|
|
|
## @section Route
|
|
## @param route.enabled Enable route
|
|
## @param route.annotations Route annotations
|
|
## @param route.host Host to use for the route (will be assigned automatically by OKD / OpenShift is not defined)
|
|
## @param route.wildcardPolicy Wildcard policy if any for the route, currently only 'Subdomain' or 'None' is allowed.
|
|
## @param route.tls.termination termination type (see [OKD documentation](https://docs.okd.io/latest/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls))
|
|
## @param route.tls.insecureEdgeTerminationPolicy the desired behavior for insecure connections to a route (e.g. with http)
|
|
## @param route.tls.existingSecret the name of a predefined secret of type kubernetes.io/tls with both key (tls.crt and tls.key) set accordingly (if defined attributes 'certificate', 'caCertificate' and 'privateKey' are ignored)
|
|
## @param route.tls.certificate PEM encoded single certificate
|
|
## @param route.tls.privateKey PEM encoded private key
|
|
## @param route.tls.caCertificate PEM encoded CA certificate or chain that issued the certificate
|
|
## @param route.tls.destinationCACertificate PEM encoded CA certificate used to verify the authenticity of final end point when 'termination' is set to 'passthrough' (ignored otherwise)
|
|
route:
|
|
enabled: true
|
|
annotations: {}
|
|
host: "forgejo.apps.ocp.stg.fedoraproject.org"
|
|
wildcardPolicy:
|
|
tls:
|
|
termination: edge
|
|
insecureEdgeTerminationPolicy: Redirect
|
|
existingSecret:
|
|
certificate:
|
|
# certificate: |-
|
|
# -----BEGIN CERTIFICATE-----
|
|
# ...
|
|
# -----END CERTIFICATE-----
|
|
privateKey:
|
|
# privateKey: |-
|
|
# -----BEGIN PRIVATE KEY-----
|
|
# ...
|
|
# -----END PRIVATE KEY-----
|
|
caCertificate:
|
|
# caCertificate: |-
|
|
# -----BEGIN CERTIFICATE-----
|
|
# ...
|
|
# -----END CERTIFICATE-----
|
|
destinationCACertificate:
|
|
# destinationCACertificate: |-
|
|
# -----BEGIN CERTIFICATE-----
|
|
# ...
|
|
# -----END CERTIFICATE-----
|
|
|
|
## @section deployment
|
|
#
|
|
## @param resources Kubernetes resources
|
|
resources:
|
|
{}
|
|
# We usually recommend not to specify default resources and to leave this as a conscious
|
|
# choice for the user. This also increases chances charts run on environments with little
|
|
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
|
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
|
# limits:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
# requests:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
|
|
## Use an alternate scheduler, e.g. "stork".
|
|
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
|
|
##
|
|
## @param schedulerName Use an alternate scheduler, e.g. "stork"
|
|
schedulerName: ''
|
|
|
|
## @param nodeSelector NodeSelector for the deployment
|
|
nodeSelector: {}
|
|
|
|
## @param tolerations Tolerations for the deployment
|
|
tolerations: []
|
|
|
|
## @param affinity Affinity for the deployment
|
|
affinity: {}
|
|
|
|
## @param topologySpreadConstraints TopologySpreadConstraints for the deployment
|
|
topologySpreadConstraints: []
|
|
|
|
## @param dnsConfig dnsConfig for the deployment
|
|
dnsConfig: {}
|
|
|
|
## @param priorityClassName priorityClassName for the deployment
|
|
priorityClassName: ''
|
|
|
|
## @param deployment.env Additional environment variables to pass to containers
|
|
## @param deployment.terminationGracePeriodSeconds How long to wait until forcefully kill the pod
|
|
## @param deployment.labels Labels for the deployment
|
|
## @param deployment.annotations Annotations for the Forgejo deployment to be created
|
|
deployment:
|
|
env:
|
|
[]
|
|
# - name: VARIABLE
|
|
# value: my-value
|
|
terminationGracePeriodSeconds: 60
|
|
labels: {}
|
|
annotations: {}
|
|
|
|
## @section ServiceAccount
|
|
|
|
## @param serviceAccount.create Enable the creation of a ServiceAccount
|
|
## @param serviceAccount.name Name of the created ServiceAccount, defaults to release name. Can also link to an externally provided ServiceAccount that should be used.
|
|
## @param serviceAccount.automountServiceAccountToken Enable/disable auto mounting of the service account token
|
|
## @param serviceAccount.imagePullSecrets Image pull secrets, available to the ServiceAccount
|
|
## @param serviceAccount.annotations Custom annotations for the ServiceAccount
|
|
## @param serviceAccount.labels Custom labels for the ServiceAccount
|
|
serviceAccount:
|
|
create: true
|
|
name: 'forgejo-http'
|
|
automountServiceAccountToken: false
|
|
imagePullSecrets: []
|
|
# - name: private-registry-access
|
|
annotations: {}
|
|
labels: {}
|
|
|
|
## @section Persistence
|
|
#
|
|
## @param persistence.enabled Enable persistent storage
|
|
## @param persistence.create Whether to create the persistentVolumeClaim for shared storage
|
|
## @param persistence.mount Whether the persistentVolumeClaim should be mounted (even if not created)
|
|
## @param persistence.claimName Use an existing claim to store repository information
|
|
## @param persistence.size Size for persistence to store repo information
|
|
## @param persistence.accessModes AccessMode for persistence
|
|
## @param persistence.labels Labels for the persistence volume claim to be created
|
|
## @param persistence.annotations.helm.sh/resource-policy Resource policy for the persistence volume claim
|
|
## @param persistence.storageClass Name of the storage class to use
|
|
## @param persistence.subPath Subdirectory of the volume to mount at
|
|
## @param persistence.volumeName Name of persistent volume in PVC
|
|
persistence:
|
|
enabled: true
|
|
create: true
|
|
mount: true
|
|
claimName: gitea-shared-storage
|
|
size: 100Gi
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
labels: {}
|
|
storageClass:
|
|
subPath:
|
|
volumeName: ''
|
|
annotations:
|
|
helm.sh/resource-policy: keep
|
|
|
|
## @param extraVolumes Additional volumes to mount to the Forgejo deployment
|
|
extraVolumes: []
|
|
# - name: postgres-ssl-vol
|
|
# secret:
|
|
# secretName: gitea-postgres-ssl
|
|
|
|
## @param extraContainerVolumeMounts Mounts that are only mapped into the Forgejo runtime/main container, to e.g. override custom templates.
|
|
extraContainerVolumeMounts: []
|
|
|
|
## @param extraInitVolumeMounts Mounts that are only mapped into the init-containers. Can be used for additional preconfiguration.
|
|
extraInitVolumeMounts: []
|
|
|
|
## @deprecated The extraVolumeMounts variable has been split two:
|
|
## - extraContainerVolumeMounts
|
|
## - extraInitVolumeMounts
|
|
## As an example, can be used to mount a client cert when connecting to an external Postgres server.
|
|
## @param extraVolumeMounts **DEPRECATED** Additional volume mounts for init containers and the Forgejo main container
|
|
extraVolumeMounts: []
|
|
# - name: postgres-ssl-vol
|
|
# readOnly: true
|
|
# mountPath: "/pg-ssl"
|
|
|
|
## @section Init
|
|
## @param initPreScript Bash shell script copied verbatim to the start of the init-container.
|
|
initPreScript: ''
|
|
#
|
|
# initPreScript: |
|
|
# mkdir -p /data/git/.postgresql
|
|
# cp /pg-ssl/* /data/git/.postgresql/
|
|
# chown -R git:git /data/git/.postgresql/
|
|
# chmod 400 /data/git/.postgresql/postgresql.key
|
|
|
|
## @param initContainers.resources.limits initContainers.limits Kubernetes resource limits for init containers
|
|
## @param initContainers.resources.requests.cpu initContainers.requests.cpu Kubernetes cpu resource limits for init containers
|
|
## @param initContainers.resources.requests.memory initContainers.requests.memory Kubernetes memory resource limits for init containers
|
|
initContainers:
|
|
resources:
|
|
limits: {}
|
|
requests:
|
|
cpu: 100m
|
|
memory: 128Mi
|
|
|
|
# Configure commit/action signing prerequisites
|
|
## @section Signing
|
|
#
|
|
## @param signing.enabled Enable commit/action signing
|
|
## @param signing.gpgHome GPG home directory
|
|
## @param signing.privateKey Inline private GPG key for signed internal Git activity
|
|
## @param signing.existingSecret Use an existing secret to store the value of `signing.privateKey`
|
|
signing:
|
|
enabled: false
|
|
gpgHome: /data/git/.gnupg
|
|
privateKey: ''
|
|
# privateKey: |-
|
|
# -----BEGIN PGP PRIVATE KEY BLOCK-----
|
|
# ...
|
|
# -----END PGP PRIVATE KEY BLOCK-----
|
|
existingSecret: ''
|
|
|
|
## @section Gitea
|
|
#
|
|
gitea:
|
|
## @param gitea.admin.username Username for the Forgejo admin user
|
|
## @param gitea.admin.existingSecret Use an existing secret to store admin user credentials
|
|
## @param gitea.admin.password Password for the Forgejo admin user
|
|
## @param gitea.admin.email Email for the Forgejo admin user
|
|
## @param gitea.admin.passwordMode Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated
|
|
admin:
|
|
# existingSecret: gitea-admin-secret
|
|
existingSecret:
|
|
username: "{{ (env == 'production') | ternary(forgejo_admin_username, forgejo_stg_admin_username) }}"
|
|
password: "{{ (env == 'production') | ternary(forgejo_admin_password, forgejo_stg_admin_password) }}"
|
|
email: 'gitea@local.domain'
|
|
passwordMode: keepUpdated
|
|
|
|
## @param gitea.metrics.enabled Enable Forgejo metrics
|
|
## @param gitea.metrics.serviceMonitor.enabled Enable Forgejo metrics service monitor
|
|
## @param gitea.metrics.serviceMonitor.namespace Namespace in which Prometheus is running
|
|
metrics:
|
|
enabled: false
|
|
serviceMonitor:
|
|
enabled: false
|
|
namespace: ''
|
|
# additionalLabels:
|
|
# prometheus-release: prom1
|
|
|
|
## @param gitea.ldap LDAP configuration
|
|
ldap:
|
|
[]
|
|
# - name: "LDAP 1"
|
|
# existingSecret:
|
|
# securityProtocol:
|
|
# host:
|
|
# port:
|
|
# userSearchBase:
|
|
# userFilter:
|
|
# adminFilter:
|
|
# emailAttribute:
|
|
# bindDn:
|
|
# bindPassword:
|
|
# usernameAttribute:
|
|
# publicSSHKeyAttribute:
|
|
|
|
# Either specify inline `key` and `secret` or refer to them via `existingSecret`
|
|
## @param gitea.oauth OAuth configuration
|
|
oauth:
|
|
- name: "FAS"
|
|
provider: "openidConnect"
|
|
key: "{{ (env == 'production') | ternary(forgejo_oidc_key, forgejo_stg_oidc_key) }}"
|
|
secret: "{{ (env == 'production') | ternary(forgejo_oidc_secret, forgejo_stg_oidc_secret) }}"
|
|
autoDiscoverUrl: "{{ (env == 'production') | ternary(forgejo_oidc_autodiscoverurl, forgejo_stg_oidc_autodiscoverurl) }}"
|
|
group-claim-name: "groups"
|
|
admin-group: "sysadmin-main"
|
|
group-team-map: '{"sysadmin-main":{"Packages":["Owners"], "Infrastructure":["Owners"]}, "provenpackager": {"Packages": ["provenpackager"]}}'
|
|
|
|
# - name: 'OAuth 1'
|
|
# provider:
|
|
# key:
|
|
# secret:
|
|
# existingSecret:
|
|
# autoDiscoverUrl:
|
|
# useCustomUrls:
|
|
# customAuthUrl:
|
|
# customTokenUrl:
|
|
# customProfileUrl:
|
|
# customEmailUrl:
|
|
|
|
## @param gitea.additionalConfigSources Additional configuration from secret or configmap
|
|
additionalConfigSources: []
|
|
# - secret:
|
|
# secretName: gitea-app-ini-oauth
|
|
# - configMap:
|
|
# name: gitea-app-ini-plaintext
|
|
|
|
## @param gitea.additionalConfigFromEnvs Additional configuration sources from environment variables
|
|
additionalConfigFromEnvs: []
|
|
|
|
## @param gitea.podAnnotations Annotations for the Forgejo pod
|
|
podAnnotations: {}
|
|
|
|
## @param gitea.ssh.logLevel Configure OpenSSH's log level. Only available for root-based Forgejo image.
|
|
ssh:
|
|
logLevel: 'INFO'
|
|
|
|
## @section `app.ini` overrides
|
|
## @descriptionStart
|
|
## Every value described in the [Cheat
|
|
## Sheet](https://forgejo.org/docs/latest/admin/config-cheat-sheet/) can be
|
|
## set as a Helm value. Configuration sections map to (lowercased) YAML
|
|
## blocks, while the keys themselves remain in all caps.
|
|
## @descriptionEnd
|
|
config:
|
|
# values in the DEFAULT section
|
|
# (https://forgejo.org/docs/latest/admin/config-cheat-sheet/#overall-default)
|
|
# are un-namespaced
|
|
|
|
## @param gitea.config.APP_NAME Application name, used in the page title
|
|
APP_NAME: 'Forgejo: Beyond coding. We forge.'
|
|
|
|
## @param gitea.config.RUN_MODE Application run mode, affects performance and debugging: `dev` or `prod`
|
|
RUN_MODE: prod
|
|
|
|
## @param gitea.config.repository General repository settings
|
|
repository:
|
|
MAX_CREATION_LIMIT: 0
|
|
ALLOW_FORK_WITHOUT_MAXIMUM_LIMIT: true
|
|
|
|
## @param gitea.config.cors Cross-origin resource sharing settings
|
|
cors: {}
|
|
|
|
## @param gitea.config.ui User interface settings
|
|
ui: {}
|
|
|
|
## @param gitea.config.markdown Markdown parser settings
|
|
markdown: {}
|
|
|
|
## @param gitea.config.server [object] General server settings
|
|
server:
|
|
SSH_PORT: 22 # rootful image
|
|
SSH_LISTEN_PORT: 2222 # rootless image
|
|
HTTP_PORT: 3000
|
|
PROTOCOL: "http"
|
|
LFS_JWT_SECRET: "{{ (env == 'production') | ternary(forgejo_jwt_secret, forgejo_stg_jwt_secret) }}"
|
|
SSH_DOMAIN: "{{ (env == 'production') | ternary(forgejo_hostname, forgejo_stg_hostname) }}"
|
|
DOMAIN: "{{ (env == 'production') | ternary(forgejo_hostname, forgejo_stg_hostname) }}"
|
|
ROOT_URL: "https://{{ (env == 'production') | ternary(forgejo_hostname, forgejo_stg_hostname) }}/"
|
|
APP_DATA_PATH: "/data"
|
|
ENABLE_PPROF: false
|
|
START_SSH_SERVER: true
|
|
OFFLINE_MODE: false
|
|
DISABLE_SSH: true
|
|
|
|
|
|
## @param gitea.config.database Database configuration (only necessary with an [externally managed DB](https://code.forgejo.org/forgejo-helm/forgejo-helm#external-database)).
|
|
database:
|
|
HOST: "{{ forgejo_database_host }}"
|
|
NAME: "{{ forgejo_database_name }}"
|
|
USER: "{{ forgejo_database_user }}"
|
|
PASSWD: "{{ forgejo_database_password }}"
|
|
SCHEMA: "{{ forgejo_database_schema }}"
|
|
SSL_MODE: "require"
|
|
DB_TYPE: "postgres"
|
|
|
|
|
|
## @param gitea.config.indexer Settings for what content is indexed and how
|
|
indexer: {}
|
|
|
|
## @param gitea.config.queue Job queue configuration
|
|
queue: {}
|
|
|
|
## @param gitea.config.admin Admin user settings
|
|
admin:
|
|
DISABLE_REGULAR_ORG_CREATION: true
|
|
|
|
## @param gitea.config.security Site security settings
|
|
security: {}
|
|
|
|
## @param gitea.config.camo Settings for the [camo](https://github.com/cactus/go-camo) media proxy server (disabled by default)
|
|
camo: {}
|
|
|
|
## @param gitea.config.openid Configuration for authentication with OpenID (disabled by default)
|
|
openid: {}
|
|
|
|
## @param gitea.config.oauth2_client OAuth2 client settings
|
|
oauth2_client:
|
|
OPENID_SIGNUP: true
|
|
ENABLE_AUTO_REGISTRATION: true
|
|
USERNAME: "nickname"
|
|
OPENID_CONNECT_SCOPES: "openid profile email https://id.fedoraproject.org/scope/agreements https://id.fedoraproject.org/scope/groups" # These scopes are apparently the same on staging and prod.
|
|
|
|
|
|
## @param gitea.config.service Configuration for miscellaneous Forgejo services
|
|
service:
|
|
DISABLE_REGISTRATION: true
|
|
|
|
## @param gitea.config.ssh.minimum_key_sizes SSH minimum key sizes
|
|
ssh.minimum_key_sizes: {}
|
|
|
|
## @param gitea.config.webhook Webhook settings
|
|
webhook: {}
|
|
|
|
## @param gitea.config.mailer Mailer configuration (disabled by default)
|
|
mailer: {}
|
|
|
|
## @param gitea.config.email.incoming Configuration for handling incoming mail (disabled by default)
|
|
email.incoming: {}
|
|
|
|
## @param gitea.config.cache Cache configuration
|
|
cache: {}
|
|
|
|
## @param gitea.config.session Session/cookie handling
|
|
session: {}
|
|
|
|
## @param gitea.config.picture User avatar settings
|
|
picture:
|
|
GRAVATAR_SOURCE: libravatar
|
|
|
|
## @param gitea.config.project Project board defaults
|
|
project: {}
|
|
|
|
## @param gitea.config.attachment Issue and PR attachment configuration
|
|
attachment: {}
|
|
|
|
## @param gitea.config.log Logging configuration
|
|
log: {}
|
|
|
|
## @param gitea.config.cron Cron job configuration
|
|
cron: {}
|
|
|
|
## @param gitea.config.git Global settings for Git
|
|
git: {}
|
|
|
|
## @param gitea.config.metrics Settings for the Prometheus endpoint (disabled by default)
|
|
metrics: {}
|
|
|
|
## @param gitea.config.api Settings for the Swagger API documentation endpoints
|
|
api: {}
|
|
|
|
## @param gitea.config.oauth2 Settings for the [OAuth2 provider](https://forgejo.org/docs/latest/admin/oauth2-provider/)
|
|
oauth2: {}
|
|
|
|
## @param gitea.config.i18n Internationalization settings
|
|
i18n: {}
|
|
|
|
## @param gitea.config.markup Configuration for advanced markup processors
|
|
markup: {}
|
|
|
|
## @param gitea.config.highlight.mapping File extension to language mapping overrides for syntax highlighting
|
|
highlight.mapping: {}
|
|
|
|
## @param gitea.config.time Locale settings
|
|
time: {}
|
|
|
|
## @param gitea.config.migrations Settings for Git repository migrations
|
|
migrations: {}
|
|
|
|
## @param gitea.config.federation Federation configuration
|
|
federation: {}
|
|
|
|
## @param gitea.config.packages Package registry settings
|
|
packages: {}
|
|
|
|
## @param gitea.config.mirror Configuration for repository mirroring
|
|
mirror: {}
|
|
|
|
## @param gitea.config.lfs Large File Storage configuration
|
|
lfs: {}
|
|
|
|
## @param gitea.config.repo-avatar Repository avatar storage configuration
|
|
repo-avatar: {}
|
|
|
|
## @param gitea.config.avatar User/org avatar storage configuration
|
|
avatar: {}
|
|
|
|
## @param gitea.config.storage General storage settings
|
|
storage: {}
|
|
|
|
## @param gitea.config.proxy Proxy configuration (disabled by default)
|
|
proxy: {}
|
|
|
|
## @param gitea.config.actions Configuration for [Forgejo Actions](https://forgejo.org/docs/latest/user/actions/)
|
|
actions: {}
|
|
|
|
## @param gitea.config.other Uncategorized configuration options
|
|
other: {}
|
|
|
|
## @section LivenessProbe
|
|
#
|
|
## @param gitea.livenessProbe.enabled Enable liveness probe
|
|
## @param gitea.livenessProbe.tcpSocket.port Port to probe for liveness
|
|
## @param gitea.livenessProbe.initialDelaySeconds Initial delay before liveness probe is initiated
|
|
## @param gitea.livenessProbe.timeoutSeconds Timeout for liveness probe
|
|
## @param gitea.livenessProbe.periodSeconds Period for liveness probe
|
|
## @param gitea.livenessProbe.successThreshold Success threshold for liveness probe
|
|
## @param gitea.livenessProbe.failureThreshold Failure threshold for liveness probe
|
|
# Modify the liveness probe for your needs or completely disable it by commenting out.
|
|
livenessProbe:
|
|
enabled: true
|
|
tcpSocket:
|
|
port: http
|
|
initialDelaySeconds: 200
|
|
timeoutSeconds: 1
|
|
periodSeconds: 10
|
|
successThreshold: 1
|
|
failureThreshold: 10
|
|
|
|
## @section ReadinessProbe
|
|
#
|
|
## @param gitea.readinessProbe.enabled Enable readiness probe
|
|
## @param gitea.readinessProbe.httpGet.path Path to probe for readiness
|
|
## @param gitea.readinessProbe.httpGet.port Port to probe for readiness
|
|
## @param gitea.readinessProbe.initialDelaySeconds Initial delay before readiness probe is initiated
|
|
## @param gitea.readinessProbe.timeoutSeconds Timeout for readiness probe
|
|
## @param gitea.readinessProbe.periodSeconds Period for readiness probe
|
|
## @param gitea.readinessProbe.successThreshold Success threshold for readiness probe
|
|
## @param gitea.readinessProbe.failureThreshold Failure threshold for readiness probe
|
|
# Modify the readiness probe for your needs or completely disable it by commenting out.
|
|
readinessProbe:
|
|
enabled: true
|
|
httpGet:
|
|
path: /api/healthz
|
|
port: http
|
|
initialDelaySeconds: 5
|
|
timeoutSeconds: 1
|
|
periodSeconds: 10
|
|
successThreshold: 1
|
|
failureThreshold: 3
|
|
|
|
# # Uncomment the startup probe to enable and modify it for your needs.
|
|
## @section StartupProbe
|
|
#
|
|
## @param gitea.startupProbe.enabled Enable startup probe
|
|
## @param gitea.startupProbe.tcpSocket.port Port to probe for startup
|
|
## @param gitea.startupProbe.initialDelaySeconds Initial delay before startup probe is initiated
|
|
## @param gitea.startupProbe.timeoutSeconds Timeout for startup probe
|
|
## @param gitea.startupProbe.periodSeconds Period for startup probe
|
|
## @param gitea.startupProbe.successThreshold Success threshold for startup probe
|
|
## @param gitea.startupProbe.failureThreshold Failure threshold for startup probe
|
|
startupProbe:
|
|
enabled: false
|
|
tcpSocket:
|
|
port: http
|
|
initialDelaySeconds: 60
|
|
timeoutSeconds: 1
|
|
periodSeconds: 10
|
|
successThreshold: 1
|
|
failureThreshold: 10
|
|
|
|
## @section Redis® Cluster
|
|
## @descriptionStart
|
|
## Redis® Cluster is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/redis-cluster) if enabled in the values.
|
|
## Full configuration options are available on their website.
|
|
## Redis cluster and [Redis](#redis) cannot be enabled at the same time.
|
|
## @descriptionEnd
|
|
#
|
|
## @param redis-cluster.enabled Enable redis cluster
|
|
## @param redis-cluster.usePassword Whether to use password authentication
|
|
## @param redis-cluster.cluster.nodes Number of redis cluster master nodes
|
|
## @param redis-cluster.cluster.replicas Number of redis cluster master node replicas
|
|
redis-cluster:
|
|
enabled: true
|
|
usePassword: false
|
|
cluster:
|
|
nodes: 3 # default: 6
|
|
replicas: 0 # default: 1
|
|
|
|
## @section Redis®
|
|
## @descriptionStart
|
|
## Redis® is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/redis) if enabled in the values.
|
|
## Full configuration options are available on their website.
|
|
## Redis and [Redis cluster](#redis-cluster) cannot be enabled at the same time.
|
|
## @descriptionEnd
|
|
#
|
|
## @param redis.enabled Enable redis standalone or replicated
|
|
## @param redis.architecture Whether to use standalone or replication
|
|
## @param redis.global.redis.password Required password
|
|
## @param redis.master.count Number of Redis master instances to deploy
|
|
redis:
|
|
enabled: false
|
|
architecture: standalone
|
|
global:
|
|
redis:
|
|
password: changeme
|
|
master:
|
|
count: 1
|
|
|
|
## @section PostgreSQL HA
|
|
## @descriptionStart
|
|
## PostgreSQL HA is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql-ha) if enabled in the values.
|
|
## Full configuration options are available on their website.
|
|
## @descriptionEnd
|
|
#
|
|
## @param postgresql-ha.enabled Enable PostgreSQL HA chart
|
|
## @param postgresql-ha.crunchydataOperator Indicate that we are using the crunchydata Operator to deploy PostgreSQL HA
|
|
## @param postgresql-ha.postgresql.password Password for the `gitea` user (overrides `auth.password`)
|
|
## @param postgresql-ha.global.postgresql.database Name for a custom database to create (overrides `auth.database`)
|
|
## @param postgresql-ha.global.postgresql.username Name for a custom user to create (overrides `auth.username`)
|
|
## @param postgresql-ha.global.postgresql.password Name for a custom password to create (overrides `auth.password`)
|
|
## @param postgresql-ha.postgresql.repmgrPassword Repmgr Password
|
|
## @param postgresql-ha.postgresql.postgresPassword postgres Password
|
|
## @param postgresql-ha.pgpool.adminPassword pgpool adminPassword
|
|
## @param postgresql-ha.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`)
|
|
## @param postgresql-ha.primary.persistence.size PVC Storage Request for PostgreSQL HA volume
|
|
postgresql-ha:
|
|
global:
|
|
postgresql:
|
|
database: gitea
|
|
password: gitea
|
|
username: gitea
|
|
enabled: false
|
|
crunchydataOperator: true
|
|
postgresql:
|
|
repmgrPassword: changeme2
|
|
postgresPassword: changeme1
|
|
password: changeme4
|
|
pgpool:
|
|
adminPassword: changeme3
|
|
service:
|
|
ports:
|
|
postgresql: 5432
|
|
primary:
|
|
persistence:
|
|
size: 10Gi
|
|
|
|
## @section PostgreSQL
|
|
## @descriptionStart
|
|
## PostgreSQL is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) if enabled in the values.
|
|
## Full configuration options are available on their website.
|
|
## @descriptionEnd
|
|
#
|
|
## @param postgresql.enabled Enable PostgreSQL
|
|
## @param postgresql.global.postgresql.auth.password Password for the `gitea` user (overrides `auth.password`)
|
|
## @param postgresql.global.postgresql.auth.database Name for a custom database to create (overrides `auth.database`)
|
|
## @param postgresql.global.postgresql.auth.username Name for a custom user to create (overrides `auth.username`)
|
|
## @param postgresql.global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`)
|
|
## @param postgresql.primary.persistence.size PVC Storage Request for PostgreSQL volume
|
|
postgresql:
|
|
enabled: false
|
|
global:
|
|
postgresql:
|
|
auth:
|
|
password: gitea
|
|
database: gitea
|
|
username: gitea
|
|
service:
|
|
ports:
|
|
postgresql: 5432
|
|
primary:
|
|
persistence:
|
|
size: 10Gi
|
|
|
|
# By default, removed or moved settings that still remain in a user defined values.yaml will cause Helm to fail running the install/update.
|
|
# Set it to false to skip this basic validation check.
|
|
## @section Advanced
|
|
## @param checkDeprecation Whether to run this basic validation check.
|
|
## @param test.enabled Whether to use test-connection Pod.
|
|
## @param test.image.name Image name for the wget container used in the test-connection Pod.
|
|
## @param test.image.tag Image tag for the wget container used in the test-connection Pod.
|
|
checkDeprecation: true
|
|
test:
|
|
enabled: true
|
|
image:
|
|
name: busybox
|
|
tag: latest
|
|
|
|
## @param extraDeploy Array of extra objects to deploy with the release.
|
|
##
|
|
extraDeploy: []
|