2020-09-25 08:37:55 -05:00
|
|
|
apiVersion: v1
|
|
|
|
|
kind: Secret
|
|
|
|
|
metadata:
|
|
|
|
|
name: {{ include "gitea.fullname" . }}-init
|
|
|
|
|
labels:
|
|
|
|
|
{{- include "gitea.labels" . | nindent 4 }}
|
|
|
|
|
type: Opaque
|
|
|
|
|
stringData:
|
2023-01-17 10:58:10 -06:00
|
|
|
configure_gpg_environment.sh: |-
|
|
|
|
|
#!/usr/bin/env bash
|
|
|
|
|
set -eu
|
|
|
|
|
|
|
|
|
|
gpg --batch --import /raw/private.asc
|
2021-06-29 15:09:16 -05:00
|
|
|
init_directory_structure.sh: |-
|
|
|
|
|
#!/usr/bin/env bash
|
|
|
|
|
|
|
|
|
|
set -euo pipefail
|
|
|
|
|
|
2021-01-20 05:28:39 -06:00
|
|
|
{{- if .Values.initPreScript }}
|
|
|
|
|
# BEGIN: initPreScript
|
|
|
|
|
{{- with .Values.initPreScript -}}
|
|
|
|
|
{{ . | nindent 4}}
|
|
|
|
|
{{- end -}}
|
|
|
|
|
# END: initPreScript
|
|
|
|
|
{{- end }}
|
|
|
|
|
|
2021-06-29 15:09:16 -05:00
|
|
|
set -x
|
|
|
|
|
|
2021-06-09 06:42:49 -05:00
|
|
|
{{- if not .Values.image.rootless }}
|
2021-04-19 07:30:02 -05:00
|
|
|
chown 1000:1000 /data
|
2021-06-09 06:42:49 -05:00
|
|
|
{{- end }}
|
2020-09-25 08:37:55 -05:00
|
|
|
mkdir -p /data/git/.ssh
|
|
|
|
|
chmod -R 700 /data/git/.ssh
|
2022-09-25 15:08:56 -05:00
|
|
|
[ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
|
2021-04-29 04:12:48 -05:00
|
|
|
|
2021-06-09 09:35:50 -05:00
|
|
|
# prepare temp directory structure
|
|
|
|
|
mkdir -p "${GITEA_TEMP}"
|
2021-12-23 04:50:56 -06:00
|
|
|
{{- if not .Values.image.rootless }}
|
2021-06-09 09:35:50 -05:00
|
|
|
chown 1000:1000 "${GITEA_TEMP}"
|
2021-12-23 04:50:56 -06:00
|
|
|
{{- end }}
|
2021-06-09 09:35:50 -05:00
|
|
|
chmod ug+rwx "${GITEA_TEMP}"
|
|
|
|
|
|
2023-01-17 10:58:10 -06:00
|
|
|
{{ if .Values.signing.enabled -}}
|
|
|
|
|
if [ ! -d "${GNUPGHOME}" ]; then
|
|
|
|
|
mkdir -p "${GNUPGHOME}"
|
|
|
|
|
chmod 700 "${GNUPGHOME}"
|
|
|
|
|
chown 1000:1000 "${GNUPGHOME}"
|
|
|
|
|
fi
|
|
|
|
|
{{- end }}
|
|
|
|
|
|
2021-06-29 15:09:16 -05:00
|
|
|
configure_gitea.sh: |-
|
|
|
|
|
#!/usr/bin/env bash
|
|
|
|
|
|
|
|
|
|
set -euo pipefail
|
|
|
|
|
|
|
|
|
|
echo '==== BEGIN GITEA CONFIGURATION ===='
|
|
|
|
|
|
2022-03-01 18:25:49 -06:00
|
|
|
{ # try
|
|
|
|
|
gitea migrate
|
|
|
|
|
} || { # catch
|
|
|
|
|
echo "Gitea migrate might fail due to database connection...This init-container will try again in a few seconds"
|
|
|
|
|
exit 1
|
|
|
|
|
}
|
[Breaking] Add HA-support; switch to `Deployment` (#437)
# Changes
A big shoutout to @luhahn for all his work in #205 which served as the base for this PR.
## Documentation
- [x] After thinking for some time about it, I still prefer the distinct option (as started in #350), i.e. having a standalone "HA" doc under `docs/ha-setup.md` to not have a very long README (which is already quite long).
Most of the information below should go into it with more details and explanations behind all of the individual components.
## Chart deps
~~- Adds `meilisearch` as a chart dependency for a HA-ready issue indexer. Only works with >= Gitea 1.20~~
~~- Adds `redis` as a chart dependency for a HA-ready session and queue store.~~
- Adds `redis-cluster` as a chart dependency for a HA-ready session and queue store (alternative to `redis`). Only works with >= Gitea 1.19.2.
- Removes `memcached` instead of `redis-cluster`
- Add `postgresql-ha` as default DB dep in favor of `postgres`
## Adds smart HA chart logic
The goal is to set smart config values that result in a HA-ready Gitea deployment if `replicaCount` > 1.
- If `replicaCount` > 1,
- `gitea.config.session.PROVIDER` is automatically set to `redis-cluster`
- `gitea.config.indexer.REPO_INDEXER_ENABLED` is automatically set to `false` unless the value is `elasticsearch` or `meilisearch`
- `redis-cluster` is used for `[queue]` and `[cache]` and `[session]`mode or not
Configuration of external instances of `meilisearch` and `minio` are documented in a new markdown doc.
## Deployment vs Statefulset
Given all the discussions about this lately (#428), I think we could use both.
In the end, we do not have the requirement for a sequential pod scale up/scale down as it would happen in statefulsets.
On the other side, we do not have actual stateless pods as we are attaching a RWX to the deployment.
Yet I think because we do not have a leader-election requirement, spawning the pods as a deployment makes "Rolling Updates" easier and also signals users that there is no "leader election" logic and each pod can just be "destroyed" at anytime without causing interruption.
Hence I think we should be able to switch from a statefulset to a deployment, even in the single-replica case.
This change also brought up a templating/linting issue: the definition of `.Values.gitea.config.server.SSH_LISTEN_PORT` in `ssh-svc.yaml` just "luckily" worked so far due to naming-related lint processing. Due to the change from "statefulset" to "deployment", the processing queue changed and caused a failure complaining about `config.server.SSH_LISTEN_PORT` not being defined yet.
The only way I could see to fix this was to "properly" define the value in `values.yaml` instead of conditionally definining it in `helpers.tpl`. Maybe there's a better way?
## Chart PVC Creation
I've adapted the automated PVC creation from another chart to be able to provide the `storageClassName` as I couldn't get dynamic provisioning for EFS going with the current implementation.
In addition the naming and approach within the Gitea chart for PV creation is a bit unusual and aligning it might be beneficial.
A semi-unrelated change which will result in a breaking change for existing users but this PR includes a lot of breaking changes already, so including another one might not make it much worse...
- New `persistence.mount`: whether to mount an existing PVC (via `persistence.existingClaim`
- New `persistence.create`: whether to create a new PVC
## Testing
As this PR does a lot of things, we need proper testing.
The helm chart can be installed from the Git branch via `helm-git` as follows:
```
helm repo add gitea-charts git+https://gitea.com/gitea/helm-chart@/?ref=deployment
helm install gitea --version 0.0.0
```
It is **highly recommended** to test the chart in a dedicated namespace.
I've tested this myself with both `redis` and `redis-cluster` and it seemed to work fine.
I just did some basic operations though and we should do more niche testing before merging.
Examplary `values.yml` for testing (only needs a valid RWX storage class):
<details>
<summary>values.yaml</summary>
```yml
image:
tag: "dev"
PullPolicy: "Always"
rootless: true
replicaCount: 2
persistence:
enabled: true
accessModes:
- ReadWriteMany
storageClass: FIXME
redis-cluster:
enabled: false
global:
redis:
password: gitea
gitea:
config:
indexer:
ISSUE_INDEXER_ENABLED: true
REPO_INDEXER_ENABLED: false
```
</details>
## Preferred setup
The preferred HA setup with respect to performance and stability might currently be as follows:
- Repos: RWX (e.g. EFS or Azurefiles NFS)
- Issue indexer: Meilisearch (HA)
- Session and cache: Redis Cluster (HA)
- Attachments/Avatars: Minio (HA)
This will result in a ~ 10-pod HA setup overall.
All pods have very low resource requests.
fix #98
Co-authored-by: pat-s <pat-s@noreply.gitea.io>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/437
Co-authored-by: pat-s <patrick.schratz@gmail.com>
Co-committed-by: pat-s <patrick.schratz@gmail.com>
2023-07-17 14:09:42 -05:00
|
|
|
|
|
|
|
|
{{- if include "redis.servicename" . }}
|
|
|
|
|
function test_redis_connection() {
|
|
|
|
|
local RETRY=0
|
|
|
|
|
local MAX=30
|
|
|
|
|
|
|
|
|
|
echo 'Wait for redis to become avialable...'
|
|
|
|
|
until [ "${RETRY}" -ge "${MAX}" ]; do
|
|
|
|
|
nc -vz -w2 {{ include "redis.servicename" . }} {{ include "redis.port" . }} && break
|
|
|
|
|
RETRY=$[${RETRY}+1]
|
|
|
|
|
echo "...not ready yet (${RETRY}/${MAX})"
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
if [ "${RETRY}" -ge "${MAX}" ]; then
|
|
|
|
|
echo "Redis not reachable after '${MAX}' attempts!"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
test_redis_connection
|
|
|
|
|
{{- end }}
|
2022-03-01 18:25:49 -06:00
|
|
|
|
2021-06-29 15:09:16 -05:00
|
|
|
|
2021-06-21 08:28:18 -05:00
|
|
|
{{- if or .Values.gitea.admin.existingSecret (and .Values.gitea.admin.username .Values.gitea.admin.password) }}
|
2021-06-29 15:09:16 -05:00
|
|
|
function configure_admin_user() {
|
2023-12-21 01:59:18 -06:00
|
|
|
local full_admin_list=$(gitea admin user list --admin)
|
|
|
|
|
local actual_user_table=''
|
|
|
|
|
|
|
|
|
|
# We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line
|
|
|
|
|
local regex="(.*)(ID\s+Username\s+Email\s+IsActive.*)"
|
|
|
|
|
if [[ "${full_admin_list}" =~ $regex ]]; then
|
|
|
|
|
actual_user_table=$(echo "${BASH_REMATCH[2]}" | tail -n+2) # tail'ing to drop the table headline
|
|
|
|
|
else
|
|
|
|
|
# This code block should never be reached, as long as the output table header remains the same.
|
|
|
|
|
# If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script.
|
|
|
|
|
|
|
|
|
|
echo "ERROR: 'configure_admin_user' was not able to determine the current list of admin users."
|
|
|
|
|
echo " Please review the output of 'gitea admin user list --admin' shown below."
|
|
|
|
|
echo " If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-chart/issues."
|
|
|
|
|
echo "DEBUG: Output of 'gitea admin user list --admin'"
|
|
|
|
|
echo "--"
|
|
|
|
|
echo "${full_admin_list}"
|
|
|
|
|
echo "--"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
local ACCOUNT_ID=$(echo "${actual_user_table}" | grep -E "\s+${GITEA_ADMIN_USERNAME}\s+" | awk -F " " "{printf \$1}")
|
2021-06-29 15:09:16 -05:00
|
|
|
if [[ -z "${ACCOUNT_ID}" ]]; then
|
|
|
|
|
echo "No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now..."
|
|
|
|
|
gitea admin user create --admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }} --must-change-password=false
|
|
|
|
|
echo '...created.'
|
|
|
|
|
else
|
|
|
|
|
echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
|
|
|
|
|
gitea admin user change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}"
|
|
|
|
|
echo '...password sync done.'
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
configure_admin_user
|
2020-09-25 08:37:55 -05:00
|
|
|
{{- end }}
|
2021-06-29 15:09:16 -05:00
|
|
|
|
|
|
|
|
function configure_ldap() {
|
2021-10-08 07:16:24 -05:00
|
|
|
{{- if .Values.gitea.ldap }}
|
|
|
|
|
{{- range $idx, $value := .Values.gitea.ldap }}
|
|
|
|
|
local LDAP_NAME={{ (printf "%s" $value.name) | squote }}
|
2023-12-21 01:59:18 -06:00
|
|
|
local full_auth_list=$(gitea admin auth list --vertical-bars)
|
|
|
|
|
local actual_auth_table=''
|
|
|
|
|
|
|
|
|
|
# We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line
|
|
|
|
|
local regex="(.*)(ID\s+\|Name\s+\|Type\s+\|Enabled.*)"
|
|
|
|
|
if [[ "${full_auth_list}" =~ $regex ]]; then
|
|
|
|
|
actual_auth_table=$(echo "${BASH_REMATCH[2]}" | tail -n+2) # tail'ing to drop the table headline
|
|
|
|
|
else
|
|
|
|
|
# This code block should never be reached, as long as the output table header remains the same.
|
|
|
|
|
# If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script.
|
|
|
|
|
|
|
|
|
|
echo "ERROR: 'configure_ldap' was not able to determine the current list of authentication sources."
|
|
|
|
|
echo " Please review the output of 'gitea admin auth list --vertical-bars' shown below."
|
|
|
|
|
echo " If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-chart/issues."
|
|
|
|
|
echo "DEBUG: Output of 'gitea admin auth list --vertical-bars'"
|
|
|
|
|
echo "--"
|
|
|
|
|
echo "${full_auth_list}"
|
|
|
|
|
echo "--"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
local GITEA_AUTH_ID=$(echo "${actual_auth_table}" | grep -E "\|${LDAP_NAME}\s+\|" | grep -iE '\|LDAP \(via BindDN\)\s+\|' | awk -F " " "{print \$1}")
|
2021-06-29 15:09:16 -05:00
|
|
|
|
|
|
|
|
if [[ -z "${GITEA_AUTH_ID}" ]]; then
|
|
|
|
|
echo "No ldap configuration found with name '${LDAP_NAME}'. Installing it now..."
|
2021-10-08 07:16:24 -05:00
|
|
|
gitea admin auth add-ldap {{- include "gitea.ldap_settings" (list $idx $value) | indent 1 }}
|
2021-06-29 15:09:16 -05:00
|
|
|
echo '...installed.'
|
|
|
|
|
else
|
|
|
|
|
echo "Existing ldap configuration with name '${LDAP_NAME}': '${GITEA_AUTH_ID}'. Running update to sync settings..."
|
2021-10-08 07:16:24 -05:00
|
|
|
gitea admin auth update-ldap --id "${GITEA_AUTH_ID}" {{- include "gitea.ldap_settings" (list $idx $value) | indent 1 }}
|
2021-06-29 15:09:16 -05:00
|
|
|
echo '...sync settings done.'
|
|
|
|
|
fi
|
2021-10-08 07:16:24 -05:00
|
|
|
{{- end }}
|
|
|
|
|
{{- else }}
|
|
|
|
|
echo 'no ldap configuration... skipping.'
|
|
|
|
|
{{- end }}
|
2021-06-29 15:09:16 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
configure_ldap
|
|
|
|
|
|
|
|
|
|
function configure_oauth() {
|
2021-12-20 08:43:55 -06:00
|
|
|
{{- if .Values.gitea.oauth }}
|
|
|
|
|
{{- range $idx, $value := .Values.gitea.oauth }}
|
|
|
|
|
local OAUTH_NAME={{ (printf "%s" $value.name) | squote }}
|
2023-12-21 01:59:18 -06:00
|
|
|
local full_auth_list=$(gitea admin auth list --vertical-bars)
|
|
|
|
|
local actual_auth_table=''
|
|
|
|
|
|
|
|
|
|
# We might have distorted output due to warning logs, so we have to detect the actual user table by its headline and trim output above that line
|
|
|
|
|
local regex="(.*)(ID\s+\|Name\s+\|Type\s+\|Enabled.*)"
|
|
|
|
|
if [[ "${full_auth_list}" =~ $regex ]]; then
|
|
|
|
|
actual_auth_table=$(echo "${BASH_REMATCH[2]}" | tail -n+2) # tail'ing to drop the table headline
|
|
|
|
|
else
|
|
|
|
|
# This code block should never be reached, as long as the output table header remains the same.
|
|
|
|
|
# If this code block is reached, the regex doesn't match anymore and we probably have to adjust this script.
|
|
|
|
|
|
|
|
|
|
echo "ERROR: 'configure_oauth' was not able to determine the current list of authentication sources."
|
|
|
|
|
echo " Please review the output of 'gitea admin auth list --vertical-bars' shown below."
|
|
|
|
|
echo " If you think it is an issue with the Helm Chart provisioning, file an issue at https://gitea.com/gitea/helm-chart/issues."
|
|
|
|
|
echo "DEBUG: Output of 'gitea admin auth list --vertical-bars'"
|
|
|
|
|
echo "--"
|
|
|
|
|
echo "${full_auth_list}"
|
|
|
|
|
echo "--"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
local AUTH_ID=$(echo "${actual_auth_table}" | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " " "{print \$1}")
|
2021-06-29 15:09:16 -05:00
|
|
|
|
|
|
|
|
if [[ -z "${AUTH_ID}" ]]; then
|
|
|
|
|
echo "No oauth configuration found with name '${OAUTH_NAME}'. Installing it now..."
|
2021-12-20 08:43:55 -06:00
|
|
|
gitea admin auth add-oauth {{- include "gitea.oauth_settings" (list $idx $value) | indent 1 }}
|
2021-06-29 15:09:16 -05:00
|
|
|
echo '...installed.'
|
|
|
|
|
else
|
|
|
|
|
echo "Existing oauth configuration with name '${OAUTH_NAME}': '${AUTH_ID}'. Running update to sync settings..."
|
2021-12-20 08:43:55 -06:00
|
|
|
gitea admin auth update-oauth --id "${AUTH_ID}" {{- include "gitea.oauth_settings" (list $idx $value) | indent 1 }}
|
2021-06-29 15:09:16 -05:00
|
|
|
echo '...sync settings done.'
|
|
|
|
|
fi
|
2021-12-20 08:43:55 -06:00
|
|
|
{{- end }}
|
|
|
|
|
{{- else }}
|
|
|
|
|
echo 'no oauth configuration... skipping.'
|
|
|
|
|
{{- end }}
|
2021-06-29 15:09:16 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
configure_oauth
|
|
|
|
|
|
|
|
|
|
echo '==== END GITEA CONFIGURATION ===='
|
