Deploy: added gitea helm.

Author: vladd-bit

deploy/Makefile

@@ -18,6 +18,14 @@ HELM_POSTGRESQL_NAMESPACE ?= cogstack
 HELM_POSTGRESQL_CHART ?= ./charts/postgresql
 HELM_POSTGRESQL_VALUES_FILE ?= ./helm/postgresql.values.yaml
 HELM_POSTGRESQL_VALUES_ARG = -f $(HELM_POSTGRESQL_VALUES_FILE)
+HELM_GITEA_RELEASE ?= cogstack-gitea
+HELM_GITEA_NAMESPACE ?= cogstack
+HELM_GITEA_REPO_NAME ?= gitea-charts
+HELM_GITEA_REPO_URL ?= https://dl.gitea.com/charts/
+HELM_GITEA_CHART ?= $(HELM_GITEA_REPO_NAME)/gitea
+HELM_GITEA_CHART_VERSION ?= 12.5.0
+HELM_GITEA_VALUES_FILE ?= ./helm/gitea.values.yaml
+HELM_GITEA_VALUES_ARG = -f $(HELM_GITEA_VALUES_FILE)
 CNPG_OPERATOR_MINOR ?= 1.28
 CNPG_OPERATOR_VERSION ?= 1.28.1
 CNPG_OPERATOR_MANIFEST ?= https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-$(CNPG_OPERATOR_MINOR)/releases/cnpg-$(CNPG_OPERATOR_VERSION).yaml
@@ -97,6 +105,18 @@ helm-template-postgresql: ## Render CloudNativePG PostgreSQL chart using chart d
 helm-install-postgresql: ## Install/upgrade CloudNativePG PostgreSQL chart using chart defaults plus ./helm/postgresql.values.yaml
 	helm upgrade --install $(HELM_POSTGRESQL_RELEASE) $(HELM_POSTGRESQL_CHART) $(HELM_POSTGRESQL_VALUES_ARG) --namespace $(HELM_POSTGRESQL_NAMESPACE) --create-namespace
 
+helm-repo-add-gitea: ## Add/update the official Gitea Helm repository
+	@if ! helm repo list | awk '$$1 == "$(HELM_GITEA_REPO_NAME)" { found=1 } END { exit !found }'; then \
+		helm repo add $(HELM_GITEA_REPO_NAME) $(HELM_GITEA_REPO_URL); \
+	fi
+	helm repo update $(HELM_GITEA_REPO_NAME)
+
+helm-template-gitea: helm-repo-add-gitea ## Render the official Gitea chart using ./helm/gitea.values.yaml
+	helm template $(HELM_GITEA_RELEASE) $(HELM_GITEA_CHART) --version $(HELM_GITEA_CHART_VERSION) $(HELM_GITEA_VALUES_ARG) --namespace $(HELM_GITEA_NAMESPACE)
+
+helm-install-gitea: helm-repo-add-gitea ## Install/upgrade the official Gitea chart using ./helm/gitea.values.yaml
+	helm upgrade --install $(HELM_GITEA_RELEASE) $(HELM_GITEA_CHART) --version $(HELM_GITEA_CHART_VERSION) $(HELM_GITEA_VALUES_ARG) --namespace $(HELM_GITEA_NAMESPACE) --create-namespace
+
 
 remote-deploy-service: ## Deploy one or more services to a remote machine via SSH + docker compose
 remote-deploy-service: _check-remote-params
@@ -124,7 +144,7 @@ _check-remote-params:
 		exit 1; \
 	fi
 
-.PHONY: remote-deploy-service remote-stop-service remote-delete-service _check-remote-params helm-template-opensearch helm-install-opensearch kube-install-cnpg-operator helm-template-postgresql helm-install-postgresql
+.PHONY: remote-deploy-service remote-stop-service remote-delete-service _check-remote-params helm-template-opensearch helm-install-opensearch kube-install-cnpg-operator helm-template-postgresql helm-install-postgresql helm-repo-add-gitea helm-template-gitea helm-install-gitea
 
 # start services
 

deploy/helm/gitea.values.yaml

@@ -0,0 +1,109 @@
+# Cluster-specific overrides for the official Gitea Helm chart.
+#
+# The Makefile targets add/update the `gitea-charts` repo automatically and pin
+# the chart version. This file keeps only the overrides needed to stay close to
+# the current Docker Compose GitEA service.
+
+replicaCount: 1
+
+service:
+  http:
+    type: ClusterIP
+    port: 3000
+    clusterIP: ""
+  ssh:
+    type: ClusterIP
+    port: 2222
+    clusterIP: ""
+
+resources:
+  requests:
+    cpu: "500m"
+    memory: "512Mi"
+  limits:
+    cpu: "1"
+    memory: "1Gi"
+
+persistence:
+  size: 10Gi
+
+# Keep the initial Helm migration close to the current Compose deployment:
+# single pod, embedded SQLite, and no bundled database/cache subcharts.
+valkey-cluster:
+  enabled: false
+
+valkey:
+  enabled: false
+
+postgresql-ha:
+  enabled: false
+
+postgresql:
+  enabled: false
+
+# Create this Secret before install if you want Helm to bootstrap an admin user:
+# kubectl create secret generic gitea-admin-credentials \
+#   --from-literal=username=admin \
+#   --from-literal=password='change-me'
+#
+# Create this Secret before install to preserve the current direct-HTTPS setup:
+# kubectl create secret generic gitea-root-ca \
+#   --from-file=root-ca.pem=./security/certificates/root/root-ca.pem \
+#   --from-file=root-ca.key=./security/certificates/root/root-ca.key
+gitea:
+  admin:
+    # existingSecret: gitea-admin-credentials
+    username: ""
+    password: ""
+    email: "gitea@localhost"
+    passwordMode: initialOnlyNoReset
+  config:
+    APP_NAME: "Gitea: Git with a cup of tea"
+    RUN_MODE: prod
+    server:
+      PROTOCOL: https
+      DOMAIN: localhost
+      ROOT_URL: https://localhost:3000/
+      HTTP_PORT: 3000
+      START_SSH_SERVER: true
+      SSH_DOMAIN: localhost
+      SSH_PORT: 2222
+      SSH_LISTEN_HOST: 0.0.0.0
+      SSH_LISTEN_PORT: 2222
+      CERT_FILE: /certificates/root/root-ca.pem
+      KEY_FILE: /certificates/root/root-ca.key
+    database:
+      DB_TYPE: sqlite3
+      PATH: /data/gitea/gitea.db
+      HOST: localhost
+      SSL_MODE: disable
+      LOG_SQL: false
+    oauth2:
+      ENABLED: true
+    mailer:
+      ENABLED: false
+    repository:
+      ENABLE_PUSH_CREATE_USER: true
+      ENABLE_PUSH_CREATE_ORG: true
+      DEFAULT_PUSH_CREATE_PRIVATE: true
+    "cron.update_checker":
+      ENABLED: false
+    "repository.pull-request":
+      DEFAULT_MERGE_STYLE: merge
+    "repository.signing":
+      DEFAULT_TRUST_MODEL: committer
+
+extraVolumes:
+  - name: gitea-root-ca
+    secret:
+      secretName: gitea-root-ca
+
+extraInitVolumeMounts:
+  - name: gitea-root-ca
+    mountPath: /certificates/root
+    readOnly: true
+
+extraContainerVolumeMounts:
+  - name: gitea-root-ca
+    mountPath: /certificates/root
+    readOnly: true

deploy/helm/postgresql.values.yaml

@@ -0,0 +1,21 @@
+# Cluster-specific overrides for the CloudNativePG PostgreSQL chart.
+#
+# Shared database env, database user env, and bootstrap SQL files are not listed
+# here: the chart already consumes the repo's canonical files from deploy/,
+# security/, and services/ via its bundled defaults.
+
+cluster:
+  instances: 3
+  storage:
+    size: 20Gi
+    # storageClass: local-path
+  ownerSuperuser: false
+  enableSuperuserAccess: false
+
+# For a single-node dev cluster only:
+# cluster:
+#   instances: 1
+
+# To use a pre-created Secret instead of users_database.env defaults:
+# credentials:
+#   existingAppSecret: cogstack-postgresql-app

docs/deploy/deployment.md

@@ -82,6 +82,41 @@ helm upgrade --install cogstack-opensearch ./deploy/charts/opensearch \
 > The chart already consumes the shared OpenSearch, Dashboards, and security YAML files automatically from this repo.
 > The values file is only for cluster-specific overrides such as secret names, storage classes, replicas, and snapshot PVC claims.
 
+## ⎈ Helm (GitEA / Gitea)
+
+GitEA can be deployed with the official Gitea Helm chart. The Makefile adds the
+upstream repo automatically and pins a chart version for reproducible installs.
+
+Quick usage:
+
+```bash
+# render manifests
+make -C deploy helm-template-gitea
+
+# install or upgrade
+make -C deploy helm-install-gitea
+```
+
+Key defaults live in:
+
+```bash
+./deploy/helm/gitea.values.yaml
+```
+
+Current defaults keep the Helm deployment close to the existing Docker Compose
+service:
+
+- single replica
+- embedded SQLite
+- bundled PostgreSQL/Valkey disabled
+- ClusterIP services on ports `3000` and `2222`
+- direct HTTPS inside the Gitea pod using the shared root CA
+
+Before install, create:
+
+- `gitea-root-ca` Secret with `root-ca.pem` and `root-ca.key` from `security/certificates/root/`
+- optionally `gitea-admin-credentials` with `username` and `password` if you want Helm to bootstrap an admin user
+
 ## 🧰 Makefile Command Overview
 
 A concise reference for controlling the full CogStack deployment stack (NiFi, Elasticsearch, JupyterHub, MedCAT, OCR-service, GitEA, Beats, DB, etc.).