mirror of
https://gitea.com/gitea/helm-chart.git
synced 2024-07-04 23:34:12 +02:00
5ab596937a
I've noticed that the commented `securityContext` is not really useable with the rootless image due to different directory structure compared to the default image. Important for the `readOnlyRootFilesystem` is to declare the `TMPDIR` environment variable, so that the tmp directory (which is readonly in this case) won't be used. Instead, another writeable directory can be used. Another thing is the explicit hint that all these security options cannot be used with the default (root-based) image, because of its design. ~~Although this PR would fix the referenced issue, I am not totally happy with the current implementation. It would be more straight forward to use the same mount points for both image variants. Unfortunately, this is not possible right now due to hard coded paths in the default (root) image startup scripts.~~ ~~Anyone have suggestions on how this could be more simple?~~ ------- **Sum-up:** As mentioned in Discord, this PR tried to make too many changes. The necessary changes made in 1f331a7e6577fc798196a84a957330aca0d663cd will fix an error that occurs due to restricted access to the `/tmp` directory in a rootless image with all the `securityContext` options enabled. I also updated the default image to 1.14.2. Fixes: #158 Co-authored-by: JustusBunsi <sk.bunsenbrenner@gmail.com> Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/160 Reviewed-by: luhahn <luhahn@noreply.gitea.io> Reviewed-by: 6543 <6543@obermui.de> Co-authored-by: justusbunsi <justusbunsi@noreply.gitea.io> Co-committed-by: justusbunsi <justusbunsi@noreply.gitea.io>
272 lines
5.3 KiB
YAML
272 lines
5.3 KiB
YAML
# Default values for gitea.
|
|
# This is a YAML-formatted file.
|
|
# Declare variables to be passed into your templates.
|
|
|
|
replicaCount: 1
|
|
|
|
clusterDomain: cluster.local
|
|
|
|
image:
|
|
repository: gitea/gitea
|
|
tag: 1.14.2
|
|
pullPolicy: Always
|
|
rootless: false # only possible when running 1.14 or later
|
|
|
|
imagePullSecrets: []
|
|
|
|
# only usable with rootless image due to image design
|
|
securityContext: {}
|
|
# allowPrivilegeEscalation: false
|
|
# capabilities:
|
|
# drop:
|
|
# - ALL
|
|
# privileged: false
|
|
# readOnlyRootFilesystem: true
|
|
# runAsGroup: 1000
|
|
# runAsNonRoot: true
|
|
# runAsUser: 1000
|
|
|
|
service:
|
|
http:
|
|
type: ClusterIP
|
|
port: 3000
|
|
clusterIP: None
|
|
#loadBalancerIP:
|
|
#nodePort:
|
|
annotations:
|
|
ssh:
|
|
type: ClusterIP
|
|
port: 22
|
|
clusterIP: None
|
|
#loadBalancerIP:
|
|
#nodePort:
|
|
#externalTrafficPolicy:
|
|
#externalIPs:
|
|
loadBalancerSourceRanges: []
|
|
annotations:
|
|
|
|
ingress:
|
|
enabled: false
|
|
annotations: {}
|
|
# kubernetes.io/ingress.class: nginx
|
|
# kubernetes.io/tls-acme: "true"
|
|
hosts:
|
|
- git.example.com
|
|
tls: []
|
|
# - secretName: chart-example-tls
|
|
# hosts:
|
|
# - git.example.com
|
|
|
|
resources: {}
|
|
# We usually recommend not to specify default resources and to leave this as a conscious
|
|
# choice for the user. This also increases chances charts run on environments with little
|
|
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
|
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
|
# limits:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
# requests:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
|
|
## Use an alternate scheduler, e.g. "stork".
|
|
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
|
|
##
|
|
# schedulerName:
|
|
|
|
nodeSelector: {}
|
|
|
|
tolerations: []
|
|
|
|
affinity: {}
|
|
|
|
statefulset:
|
|
env: []
|
|
# - name: VARIABLE
|
|
# value: my-value
|
|
terminationGracePeriodSeconds: 60
|
|
labels: {}
|
|
|
|
persistence:
|
|
enabled: true
|
|
# existingClaim:
|
|
size: 10Gi
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
labels: {}
|
|
annotations: {}
|
|
|
|
# additional volumes to add to the Gitea statefulset.
|
|
extraVolumes:
|
|
# - name: postgres-ssl-vol
|
|
# secret:
|
|
# secretName: gitea-postgres-ssl
|
|
|
|
|
|
# additional volumes to mount, both to the init container and to the main
|
|
# container. As an example, can be used to mount a client cert when connecting
|
|
# to an external Postgres server.
|
|
extraVolumeMounts:
|
|
# - name: postgres-ssl-vol
|
|
# readOnly: true
|
|
# mountPath: "/pg-ssl"
|
|
|
|
# bash shell script copied verbatim to the start of the init-container.
|
|
initPreScript: ""
|
|
#
|
|
# initPreScript: |
|
|
# mkdir -p /data/git/.postgresql
|
|
# cp /pg-ssl/* /data/git/.postgresql/
|
|
# chown -R git:git /data/git/.postgresql/
|
|
# chmod 400 /data/git/.postgresql/postgresql.key
|
|
|
|
|
|
gitea:
|
|
admin:
|
|
username: gitea_admin
|
|
password: r8sA8CPHD9!bt6d
|
|
email: "gitea@local.domain"
|
|
|
|
metrics:
|
|
enabled: false
|
|
serviceMonitor:
|
|
enabled: false
|
|
# prometheusSelector: default
|
|
|
|
ldap:
|
|
enabled: false
|
|
#name:
|
|
#securityProtocol:
|
|
#host:
|
|
#port:
|
|
#userSearchBase:
|
|
#userFilter:
|
|
#adminFilter:
|
|
#emailAttribute:
|
|
#bindDn:
|
|
#bindPassword:
|
|
#usernameAttribute:
|
|
#sshPublicKeyAttribute:
|
|
|
|
oauth:
|
|
enabled: false
|
|
#name:
|
|
#provider:
|
|
#key:
|
|
#secret:
|
|
#autoDiscoverUrl:
|
|
#useCustomUrls:
|
|
#customAuthUrl:
|
|
#customTokenUrl:
|
|
#customProfileUrl:
|
|
#customEmailUrl:
|
|
|
|
config: {}
|
|
# APP_NAME: "Gitea: Git with a cup of tea"
|
|
# RUN_MODE: dev
|
|
#
|
|
# server:
|
|
# SSH_PORT: 22
|
|
#
|
|
# security:
|
|
# PASSWORD_COMPLEXITY: spec
|
|
|
|
podAnnotations: {}
|
|
|
|
database:
|
|
builtIn:
|
|
postgresql:
|
|
enabled: true
|
|
mysql:
|
|
enabled: false
|
|
mariadb:
|
|
enabled: false
|
|
|
|
cache:
|
|
builtIn:
|
|
enabled: true
|
|
|
|
livenessProbe:
|
|
enabled: true
|
|
initialDelaySeconds: 200
|
|
timeoutSeconds: 1
|
|
periodSeconds: 10
|
|
successThreshold: 1
|
|
failureThreshold: 10
|
|
readinessProbe:
|
|
enabled: true
|
|
initialDelaySeconds: 5
|
|
timeoutSeconds: 1
|
|
periodSeconds: 10
|
|
successThreshold: 1
|
|
failureThreshold: 3
|
|
startupProbe:
|
|
enabled: false
|
|
initialDelaySeconds: 60
|
|
periodSeconds: 10
|
|
successThreshold: 1
|
|
failureThreshold: 10
|
|
|
|
# customLivenessProbe:
|
|
# httpGet:
|
|
# path: /user/login
|
|
# port: http
|
|
# initialDelaySeconds: 60
|
|
# periodSeconds: 10
|
|
# successThreshold: 1
|
|
# failureThreshold: 10
|
|
# customReadinessProbe:
|
|
# httpGet:
|
|
# path: /user/login
|
|
# port: http
|
|
# initialDelaySeconds: 5
|
|
# periodSeconds: 10
|
|
# successThreshold: 1
|
|
# failureThreshold: 3
|
|
# customStartupProbe:
|
|
# httpGet:
|
|
# path: /user/login
|
|
# port: http
|
|
# initialDelaySeconds: 60
|
|
# periodSeconds: 10
|
|
# successThreshold: 1
|
|
# failureThreshold: 10
|
|
|
|
memcached:
|
|
service:
|
|
port: 11211
|
|
|
|
postgresql:
|
|
global:
|
|
postgresql:
|
|
postgresqlDatabase: gitea
|
|
postgresqlUsername: gitea
|
|
postgresqlPassword: gitea
|
|
servicePort: 5432
|
|
persistence:
|
|
size: 10Gi
|
|
|
|
mysql:
|
|
root:
|
|
password: gitea
|
|
db:
|
|
user: gitea
|
|
password: gitea
|
|
name: gitea
|
|
service:
|
|
port: 3306
|
|
persistence:
|
|
size: 10Gi
|
|
|
|
mariadb:
|
|
auth:
|
|
database: gitea
|
|
username: gitea
|
|
password: gitea
|
|
rootPassword: gitea
|
|
primary:
|
|
service:
|
|
port: 3306
|
|
persistence:
|
|
size: 10Gi
|