227 lines
7.1 KiB
YAML
227 lines
7.1 KiB
YAML
image:
|
||
registry: ""
|
||
# IMPORTANT:
|
||
# The default image used by the Gitea Helm chart is the *rootless* variant.
|
||
# Rootless Gitea does NOT include an SSH server, so enabling SSH in the chart
|
||
# will NOT work unless you explicitly switch to the rootful image.
|
||
#
|
||
# Default chart image (rootless, SSH disabled):
|
||
# registry: "docker.gitea.com"
|
||
# repository: gitea
|
||
#
|
||
# Correct rootful image (SSH enabled):
|
||
# repository: gitea/gitea
|
||
#
|
||
# This ensures the container includes OpenSSH and can expose the SSH port.
|
||
repository: gitea/gitea
|
||
pullPolicy: Always
|
||
# dependency:
|
||
# https://github.com/bitnami/charts/blob/main/bitnami/valkey-cluster/Chart.yaml
|
||
valkey-cluster:
|
||
enabled: false
|
||
|
||
# dependency:
|
||
# https://github.com/bitnami/charts/blob/main/bitnami/valkey/Chart.yaml
|
||
valkey:
|
||
enabled: true
|
||
architecture: standalone
|
||
global:
|
||
valkey:
|
||
password: "???"
|
||
|
||
# Disable NetworkPolicy creation in the Bitnami valkey subchart.
|
||
# This deployment runs inside a controlled namespace where network
|
||
# boundaries are enforced by the platform (Infra team), not by Helm.
|
||
#
|
||
# CI/CD pipelines use a restricted ServiceAccount that is intentionally
|
||
# NOT allowed to create or modify NetworkPolicies. Leaving this enabled
|
||
# would cause Helm upgrades to fail with RBAC errors.
|
||
#
|
||
# Infra-owned NetworkPolicies are applied separately and independently
|
||
# of application charts to maintain a clean separation of responsibilities.
|
||
networkPolicy:
|
||
enabled: false
|
||
|
||
serviceAccount:
|
||
# serviceAccount resources are owned and managed by the Infrastructure layer.
|
||
# The CI/CD ServiceAccount used for application deployments does not have
|
||
# permissions to create or modify serviceAccounts, by design.
|
||
#
|
||
# In this setup Valkey does not require its own ServiceAccount, so enabling
|
||
# this would provide no benefit and would cause Helm upgrades to fail due
|
||
# to RBAC restrictions.
|
||
create: false
|
||
name: ""
|
||
|
||
primary:
|
||
pdb:
|
||
# Disable the PodDisruptionBudget for PostgreSQL.
|
||
#
|
||
# This deployment uses a single‑instance (non‑HA) valkey, so a PDB
|
||
# provides no real benefit — Kubernetes cannot evict the only pod anyway.
|
||
#
|
||
# More importantly, PodDisruptionBudgets are considered an Infra‑owned
|
||
# resource in this cluster. The CI/CD ServiceAccount intentionally lacks
|
||
# permissions to create or modify PDBs, and enabling this would cause
|
||
# Helm upgrades to fail with RBAC errors.
|
||
#
|
||
# The platform team applies disruption policies separately at the
|
||
# infrastructure layer, keeping a clean separation of responsibilities.
|
||
create: false
|
||
|
||
|
||
|
||
|
||
# dependency:
|
||
# https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml
|
||
postgresql-ha:
|
||
enabled: false
|
||
|
||
# dependency:
|
||
# https://github.com/bitnami/charts/blob/main/bitnami/postgresql
|
||
postgresql:
|
||
enabled: true
|
||
image:
|
||
repository: bitnami/postgresql
|
||
tag: 16
|
||
imagePullPolicy: IfNotPresent
|
||
global:
|
||
postgresql:
|
||
auth:
|
||
postgresPassword: "???"
|
||
password: "???"
|
||
database: "???"
|
||
username: "???"
|
||
|
||
primary:
|
||
networkPolicy:
|
||
# Disable NetworkPolicy creation in the Bitnami PostgreSQL subchart.
|
||
# This deployment runs inside a controlled namespace where network
|
||
# boundaries are enforced by the platform (Infra team), not by Helm.
|
||
#
|
||
# CI/CD pipelines use a restricted ServiceAccount that is intentionally
|
||
# NOT allowed to create or modify NetworkPolicies. Leaving this enabled
|
||
# would cause Helm upgrades to fail with RBAC errors.
|
||
#
|
||
# Infra-owned NetworkPolicies are applied separately and independently
|
||
# of application charts to maintain a clean separation of responsibilities.
|
||
enabled: false
|
||
pdb:
|
||
# Disable the PodDisruptionBudget for PostgreSQL.
|
||
#
|
||
# This deployment uses a single‑instance (non‑HA) PostgreSQL, so a PDB
|
||
# provides no real benefit — Kubernetes cannot evict the only pod anyway.
|
||
#
|
||
# More importantly, PodDisruptionBudgets are considered an Infra‑owned
|
||
# resource in this cluster. The CI/CD ServiceAccount intentionally lacks
|
||
# permissions to create or modify PDBs, and enabling this would cause
|
||
# Helm upgrades to fail with RBAC errors.
|
||
#
|
||
# The platform team applies disruption policies separately at the
|
||
# infrastructure layer, keeping a clean separation of responsibilities.
|
||
create: false
|
||
|
||
serviceAccount:
|
||
# serviceAccount resources are owned and managed by the Infrastructure layer.
|
||
# The CI/CD ServiceAccount used for application deployments does not have
|
||
# permissions to create or modify serviceAccounts, by design.
|
||
# In this setup postgresql does not require its own ServiceAccount, so enabling
|
||
# this would provide no benefit and would cause Helm upgrades to fail due
|
||
# to RBAC restrictions.
|
||
create: false
|
||
|
||
persistence:
|
||
size: 10Gi
|
||
metrics:
|
||
enabled: false
|
||
|
||
persistence:
|
||
enabled: true
|
||
|
||
service:
|
||
ssh:
|
||
type: LoadBalancer
|
||
enabled: true
|
||
port: 2222
|
||
loadBalancerIP:
|
||
externalTrafficPolicy: Local
|
||
http:
|
||
clusterIP: "" # empty string → Kubernetes assigns a routable ClusterIP
|
||
type: ClusterIP
|
||
port: 3000
|
||
gitea:
|
||
admin:
|
||
username: "???"
|
||
password: "???"
|
||
email: "???"
|
||
config:
|
||
oauth2:
|
||
JWT_SECRET: "???"
|
||
actions:
|
||
ENABLED: true
|
||
database:
|
||
DB_TYPE: postgres
|
||
indexer:
|
||
ISSUE_INDEXER_TYPE: bleve
|
||
REPO_INDEXER_ENABLED: true
|
||
picture:
|
||
AVATAR_UPLOAD_PATH: /data/avatars
|
||
server:
|
||
DOMAIN: git.limbosolutions.com
|
||
SSH_DOMAIN: git.limbosolutions.com
|
||
ROOT_URL: https://git.limbosolutions.com
|
||
DISABLE_SSH: false
|
||
SSH_PORT: 2222
|
||
SSH_LISTEN_PORT: 2222
|
||
LFS_START_SERVER: true
|
||
START_SSH_SERVER: true
|
||
LFS_PATH: /data/git/lfs
|
||
LFS_JWT_SECRET: "???"
|
||
OFFLINE_MODE: false
|
||
#MFF 03/08/2024
|
||
REPO_INDEXER_ENABLED: true
|
||
REPO_INDEXER_PATH: indexers/repos.bleve
|
||
MAX_FILE_SIZE: 1048576
|
||
REPO_INDEXER_INCLUDE:
|
||
REPO_INDEXER_EXCLUDE: resources/bin/**
|
||
####
|
||
|
||
service:
|
||
DISABLE_REGISTRATION: true
|
||
REQUIRE_SIGNIN_VIEW: false
|
||
REGISTER_EMAIL_CONFIRM: false
|
||
ENABLE_NOTIFY_MAIL: false
|
||
ALLOW_ONLY_EXTERNAL_REGISTRATION: false
|
||
ENABLE_CAPTCHA: true
|
||
DEFAULT_KEEP_EMAIL_PRIVATE : true
|
||
DEFAULT_ALLOW_CREATE_ORGANIZATION: true
|
||
DEFAULT_ENABLE_TIMETRACKING: true
|
||
NO_REPLY_ADDRESS: noreply.localhost
|
||
oauth2:
|
||
JWT_SECRET: "???"
|
||
mailer:
|
||
ENABLED: false
|
||
|
||
openid:
|
||
ENABLE_OPENID_SIGNIN: false
|
||
ENABLE_OPENID_SIGNUP: false
|
||
|
||
|
||
security:
|
||
INSTALL_LOCK: true
|
||
SECRET_KEY: "???"
|
||
REVERSE_PROXY_LIMIT: 1
|
||
REVERSE_PROXY_TRUSTED_PROXIES: "???"
|
||
INTERNAL_TOKEN: "???"
|
||
PASSWORD_HASH_ALGO: "???"
|
||
|
||
# Ingress resources are owned and managed by the Infrastructure layer.
|
||
# The CI/CD ServiceAccount used for application deployments does not have
|
||
# permissions to create or modify Ingress objects, by design.
|
||
# for ingress setup check infra folder
|
||
ingress:
|
||
enabled: false
|
||
|
||
|
||
|