helm-chart/templates/gitea/init.yaml

apiVersion: v1
kind: Secret
metadata:
  name: {{ include "gitea.fullname" . }}-init
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
type: Opaque
stringData:
  init_gitea.sh: |-
    #!/bin/bash
    {{- if .Values.initPreScript }}
    # BEGIN: initPreScript
    {{- with .Values.initPreScript -}}
    {{ . | nindent 4}}
    {{- end -}}
    # END: initPreScript
    {{- end }}

    mkdir -p /data/git/.ssh
    chmod -R 700 /data/git/.ssh
    mkdir -p /data/gitea/conf
    cp /etc/gitea/conf/app.ini /data/gitea/conf/app.ini
    chmod a+rwx /data/gitea/conf/app.ini
    nc -v -w2 -z {{ include "db.servicename" . }} {{ include "db.port" . }} && \
    su git -c ' \
    set -x; \
    gitea migrate; \
    {{- if and .Values.gitea.admin.username .Values.gitea.admin.password }}
    gitea admin create-user --username  {{ .Values.gitea.admin.username }} --password '{{ .Values.gitea.admin.password }}' --email {{ .Values.gitea.admin.email }} --admin --must-change-password=false \
    || \
    gitea admin change-password --username {{ .Values.gitea.admin.username }} --password '{{ .Values.gitea.admin.password }}'; \
    {{- end }}
    {{- if .Values.gitea.ldap.enabled }}
    gitea admin auth add-ldap \
    {{- include "gitea.ldap_settings" . | nindent 6 }} \
    || \
    ( \
      export GITEA_AUTH_ID=$(gitea admin auth list | grep {{ .Values.gitea.ldap.name | quote }} | awk -F " "  "{print \$1}"); \
      gitea admin auth update-ldap --id ${GITEA_AUTH_ID} \
      {{- include "gitea.ldap_settings" . | nindent 6 }} \
    ) \
    {{- end }}
    '
Move all password related data to secrets (#28) Bump Chart version Move all password related data to secrets Co-authored-by: Lucas Hahn <lucas.hahn@novum-rgi.de> Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/28 Reviewed-by: techknowlogick <techknowlogick@gitea.io> Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com> 2020-09-25 08:37:55 -05:00			`apiVersion: v1`
			`kind: Secret`
			`metadata:`
			`name: {{ include "gitea.fullname" . }}-init`
			`labels:`
			`{{- include "gitea.labels" . \| nindent 4 }}`
			`type: Opaque`
			`stringData:`
			`init_gitea.sh: \|-`
			`#!/bin/bash`
enhancements to support postgres client-cert authentication (#47) This PR adds a few new chart features which adds to the flexibility of the chart. - allow extra volumes to be mounted (such as secrets): 2f862c5a48 - pass environment variables also to the init-container: 7044049478 - allow a preparation script to be "injected" into the init-container: 6125a69345 As a concrete example of how this can be used, I use is to configure Gitea to use client certificate authentication against an external Postgres database. That could be accomplished by having a `gitea-postgres-ssl` secret: ``` apiVersion: v1 kind: Secret type: Opaque metadata: name: gitea-postgres-ssl data: postgresql.crt: <base64...> postgresql.key: <base64...> root.crt: <base64...> ``` and then mounting this as a volume in Gitea using: ``` extraVolumes: - name: postgres-ssl-vol secret: secretName: gitea-postgres-ssl extraVolumeMounts: - name: postgres-ssl-vol readOnly: true mountPath: "/pg-ssl" ``` To get the right permissions on the credentials, we'd use the `initPreScript`: ``` initPreScript: \| # copy postgres client and CA cert from mount and # give proper permissions mkdir -p /data/git/.postgresql cp /pg-ssl/* /data/git/.postgresql/ chown -R git:git /data/git/.postgresql/ chmod 400 /data/git/.postgresql/postgresql.key ``` and to make sure that Gitea uses the certificate we need to pass the proper postgres environment variables (both to the init container and the "main" container): ``` statefulset: env: - name: "PGSSLCERT" value: "/data/git/.postgresql/postgresql.crt" - name: "PGSSLKEY" value: "/data/git/.postgresql/postgresql.key" - name: "PGSSLROOTCERT" value: "/data/git/.postgresql/root.crt" ``` Co-authored-by: Peter Gardfjäll <peter.gardfjall.work@gmail.com> Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/47 Reviewed-by: luhahn <luhahn@noreply.gitea.io> Reviewed-by: 6543 <6543@obermui.de> Co-authored-by: petergardfjall <petergardfjall@noreply.gitea.io> Co-committed-by: petergardfjall <petergardfjall@noreply.gitea.io> 2021-01-20 05:28:39 -06:00			`{{- if .Values.initPreScript }}`
			`# BEGIN: initPreScript`
			`{{- with .Values.initPreScript -}}`
			`{{ . \| nindent 4}}`
			`{{- end -}}`
			`# END: initPreScript`
			`{{- end }}`

Move all password related data to secrets (#28) Bump Chart version Move all password related data to secrets Co-authored-by: Lucas Hahn <lucas.hahn@novum-rgi.de> Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/28 Reviewed-by: techknowlogick <techknowlogick@gitea.io> Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com> 2020-09-25 08:37:55 -05:00			`mkdir -p /data/git/.ssh`
			`chmod -R 700 /data/git/.ssh`
			`mkdir -p /data/gitea/conf`
			`cp /etc/gitea/conf/app.ini /data/gitea/conf/app.ini`
			`chmod a+rwx /data/gitea/conf/app.ini`
			`nc -v -w2 -z {{ include "db.servicename" . }} {{ include "db.port" . }} && \`
			`su git -c ' \`
			`set -x; \`
			`gitea migrate; \`
			`{{- if and .Values.gitea.admin.username .Values.gitea.admin.password }}`
Fix admin user creation for gitea 1.13.0, chart version 2.1.0 (#80) Fix admin user creation for gitea 1.13.0 Add load balancer hint for ssh in README Merge branch 'master' into fix-admin-user-creation Co-authored-by: Lucas Hahn <lucas.hahn@novum-rgi.de> Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/80 Reviewed-by: Andrew Thornton <art27@cantab.net> Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com> Co-Authored-By: luhahn <luhahn@noreply.gitea.io> Co-Committed-By: luhahn <luhahn@noreply.gitea.io> 2020-12-10 03:16:13 -06:00			`gitea admin create-user --username {{ .Values.gitea.admin.username }} --password '{{ .Values.gitea.admin.password }}' --email {{ .Values.gitea.admin.email }} --admin --must-change-password=false \`
Move all password related data to secrets (#28) Bump Chart version Move all password related data to secrets Co-authored-by: Lucas Hahn <lucas.hahn@novum-rgi.de> Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/28 Reviewed-by: techknowlogick <techknowlogick@gitea.io> Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com> 2020-09-25 08:37:55 -05:00			`\|\| \`
			`gitea admin change-password --username {{ .Values.gitea.admin.username }} --password '{{ .Values.gitea.admin.password }}'; \`
			`{{- end }}`
			`{{- if .Values.gitea.ldap.enabled }}`
			`gitea admin auth add-ldap \`
Several Improvements to Helm Chart (#87) Improve ldap settings with helper function Allow clusterIP for http service to be set, default to None Use imagePullSecrets in statefulset now Update default values Update README Bump Chart version Co-authored-by: luhahn <lucas.hahn@novum-rgi.de> Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/87 Reviewed-by: lafriks <lafriks@noreply.gitea.io> Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com> Co-Authored-By: luhahn <luhahn@noreply.gitea.io> Co-Committed-By: luhahn <luhahn@noreply.gitea.io> 2020-12-16 06:37:47 -06:00			`{{- include "gitea.ldap_settings" . \| nindent 6 }} \`
Move all password related data to secrets (#28) Bump Chart version Move all password related data to secrets Co-authored-by: Lucas Hahn <lucas.hahn@novum-rgi.de> Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/28 Reviewed-by: techknowlogick <techknowlogick@gitea.io> Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com> 2020-09-25 08:37:55 -05:00			`\|\| \`
			`( \`
			`export GITEA_AUTH_ID=$(gitea admin auth list \| grep {{ .Values.gitea.ldap.name \| quote }} \| awk -F " " "{print \$1}"); \`
			`gitea admin auth update-ldap --id ${GITEA_AUTH_ID} \`
Several Improvements to Helm Chart (#87) Improve ldap settings with helper function Allow clusterIP for http service to be set, default to None Use imagePullSecrets in statefulset now Update default values Update README Bump Chart version Co-authored-by: luhahn <lucas.hahn@novum-rgi.de> Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/87 Reviewed-by: lafriks <lafriks@noreply.gitea.io> Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com> Co-Authored-By: luhahn <luhahn@noreply.gitea.io> Co-Committed-By: luhahn <luhahn@noreply.gitea.io> 2020-12-16 06:37:47 -06:00			`{{- include "gitea.ldap_settings" . \| nindent 6 }} \`
Move all password related data to secrets (#28) Bump Chart version Move all password related data to secrets Co-authored-by: Lucas Hahn <lucas.hahn@novum-rgi.de> Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/28 Reviewed-by: techknowlogick <techknowlogick@gitea.io> Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com> 2020-09-25 08:37:55 -05:00			`) \`
			`{{- end }}`
enhancements to support postgres client-cert authentication (#47) This PR adds a few new chart features which adds to the flexibility of the chart. - allow extra volumes to be mounted (such as secrets): 2f862c5a48 - pass environment variables also to the init-container: 7044049478 - allow a preparation script to be "injected" into the init-container: 6125a69345 As a concrete example of how this can be used, I use is to configure Gitea to use client certificate authentication against an external Postgres database. That could be accomplished by having a `gitea-postgres-ssl` secret: ``` apiVersion: v1 kind: Secret type: Opaque metadata: name: gitea-postgres-ssl data: postgresql.crt: <base64...> postgresql.key: <base64...> root.crt: <base64...> ``` and then mounting this as a volume in Gitea using: ``` extraVolumes: - name: postgres-ssl-vol secret: secretName: gitea-postgres-ssl extraVolumeMounts: - name: postgres-ssl-vol readOnly: true mountPath: "/pg-ssl" ``` To get the right permissions on the credentials, we'd use the `initPreScript`: ``` initPreScript: \| # copy postgres client and CA cert from mount and # give proper permissions mkdir -p /data/git/.postgresql cp /pg-ssl/* /data/git/.postgresql/ chown -R git:git /data/git/.postgresql/ chmod 400 /data/git/.postgresql/postgresql.key ``` and to make sure that Gitea uses the certificate we need to pass the proper postgres environment variables (both to the init container and the "main" container): ``` statefulset: env: - name: "PGSSLCERT" value: "/data/git/.postgresql/postgresql.crt" - name: "PGSSLKEY" value: "/data/git/.postgresql/postgresql.key" - name: "PGSSLROOTCERT" value: "/data/git/.postgresql/root.crt" ``` Co-authored-by: Peter Gardfjäll <peter.gardfjall.work@gmail.com> Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/47 Reviewed-by: luhahn <luhahn@noreply.gitea.io> Reviewed-by: 6543 <6543@obermui.de> Co-authored-by: petergardfjall <petergardfjall@noreply.gitea.io> Co-committed-by: petergardfjall <petergardfjall@noreply.gitea.io> 2021-01-20 05:28:39 -06:00			`'`