separate out existign secrets

demo/forgejo/forgejo_argocd_appset.yaml

@@ -395,13 +395,11 @@ spec:
                   #    prometheus-release: prom1
 
               ## @param gitea.ldap LDAP configuration
-              ldap:
-                []
+              ldap: []
 
               # Either specify inline `key` and `secret` or refer to them via `existingSecret`
               ## @param gitea.oauth OAuth configuration
-              oauth:
-                []
+              oauth: []
                 # - name: 'OAuth 1'
                 #   provider:
                 #   key:
@@ -422,7 +420,27 @@ spec:
               #       name: gitea-app-ini-plaintext
 
               ## @param gitea.additionalConfigFromEnvs Additional configuration sources from environment variables
-              additionalConfigFromEnvs: []
+              additionalConfigFromEnvs:
+              - name: FORGEJO__CACHE__HOST
+                valueFrom:
+                  secretKeyRef:
+                    name: redis-creds
+                    key: REDIS_URL
+              - name: FORGEJO__QUEUE__CONN_STR
+                valueFrom:
+                  secretKeyRef:
+                    name: redis-creds
+                    key: REDIS_URL
+              - name: FORGEJO__DATABASE__USER
+                valueFrom:
+                  secretKeyRef:
+                    name: forgejo-pgsql-credentials
+                    key: username
+              - name: FORGEJO__DATABASE__PASSWD
+                valueFrom:
+                  secretKeyRef:
+                    name: forgejo-pgsql-credentials
+                    key: password
 
               ## @param gitea.podAnnotations Annotations for the Forgejo pod
               podAnnotations: {}
@@ -462,10 +480,8 @@ spec:
                 ## @param gitea.config.database Database configuration (only necessary with an [externally managed DB](https://code.forgejo.org/forgejo-helm/forgejo-helm#external-database)).
                 database:
                   DB_TYPE: postgres
+                  USER: forgejo
                   HOST: forgejo-postgres:5432
-                  NAME: forgejo
-                  USER: root
-                  PASSWD: "your-password-here"
                   SSL_MODE: disable
 
                 ## @param gitea.config.indexer Settings for what content is indexed and how

demo/forgejo/forgejo_valkey_appset.yaml

@@ -0,0 +1,108 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: forgejo-valkey-cluster-appset
+  namespace: argocd
+spec:
+  # enable go templating
+  goTemplate: true
+  generators:
+    - plugin:
+        configMapRef:
+          name: secret-var-plugin-generator
+        input:
+          parameters:
+            secret_vars:
+              - global_time_zone
+  template:
+    metadata:
+      name: forgejo-valkey-cluster-app
+      annotations:
+        argocd.argoproj.io/sync-wave: "1"
+    spec:
+      project: default
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: forgejo
+
+      syncPolicy:
+        syncOptions:
+          - CreateNamespace=true
+          - ApplyOutOfSyncOnly=true
+        automated:
+          prune: true
+          selfHeal: true
+
+      source:
+        repoURL: 'registry-1.docker.io'
+        chart: bitnamicharts/valkey-cluster
+        targetRevision: 1.0.2
+        helm:
+          valuesObject:
+
+            global:
+              storageClass: "local-path"
+
+            fullnameOverride: "valkey"
+
+            usePassword: true
+            existingSecret: "forgejo-valkey-credentials"
+            existingSecretPasswordKey: "valkey-password"
+
+            tls:
+              enabled: false
+              authClients: true
+              autoGenerated: false
+
+            persistence:
+              enabled: true
+              path: /bitnami/valkey/data
+              storageClass: local-path
+              annotations:
+                k8up.io/backup: 'true'
+              accessModes:
+                - ReadWriteOnce
+              size: 8G
+
+            persistentVolumeClaimRetentionPolicy:
+              enabled: true
+              whenScaled: Retain
+              whenDeleted: Retain
+
+            valkey:
+              command: []
+              args: []
+              updateStrategy:
+                type: RollingUpdate
+                rollingUpdate:
+                  partition: 0
+
+              podManagementPolicy: Parallel
+              automountServiceAccountToken: false
+              hostNetwork: false
+              containerPorts:
+                valkey: 6379
+                bus: 16379
+
+              resourcesPreset: "nano"
+
+            cluster:
+              init: true
+              nodes: 3
+              replicas: 0
+              externalAccess:
+                enabled: false
+                hostMode: false
+                service:
+                  disableLoadBalancerIP: false
+                  type: LoadBalancer
+                  port: 6379
+                  loadBalancerIP: []
+                  loadBalancerSourceRanges: []
+
+            # metrics on valkey cluster
+            metrics:
+              # we use a grafana exporter that logs into valkey directly
+              enabled: true
+              resourcesPreset: nano

demo/forgejo/gitea-pgsql-credentials.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: gitea-pgsql-credentials
+  namespace: forgejo
+stringData:
+  password: "your-password-here"
+  username: "forgejo"

demo/forgejo/gitea-redis-creds.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: redis-creds
+  namespace: forgejo
+stringData:
+  REDIS_URL: "redis://your-password-here@valkey:6379/0"

demo/forgejo/gitea-valkey-credentials.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: forgejo-valkey-credentials
+  namespace: forgejo
+stringData:
+  valkey-password: "your-password-here"
+