Enable admin user password creation/update mode in values (#677)
### Description of the change This enables sane modes for forcing reset, as well as providing more options to users of the chart by giving them the flexibility to set the mode for password creation/modification as part of init whether the user exists or not. ### Benefits The new default should revert to the behavior before #673 became an issue, while also providing more flexibility for users who want to be able to manage their initial admin user password out-of-band after creating it the first time. ### Possible drawbacks None that I can think of. ### Applicable issues - fixes #673 ### Additional information See the discussion in #675 as well ### Checklist - [X] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm) Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/677 Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.com> Co-authored-by: James Harmison <jharmison@gmail.com> Co-committed-by: James Harmison <jharmison@gmail.com>
This commit is contained in:
James Harmison
justusbunsi
parent
6226e4eaea
commit
1dbf171ad3
47
README.md
47
README.md
@ -569,6 +569,20 @@ gitea:
|
||||
existingSecret: gitea-admin-secret
|
||||
```
|
||||
|
||||
Whether you use the existing Secret or specify a user name and password, there are three modes for how the admin user password is created or set.
|
||||
|
||||
- `keepUpdated` (the default) will set the admin user password, and reset it to the defined value every time the pod is recreated.
|
||||
- `initialOnlyNoReset` will set the admin user password when creating it, but never try to update the password.
|
||||
- `initialOnlyRequireReset` will set the admin user password when creating it, never update it, and require that the password be changed at the initial login.
|
||||
|
||||
These modes can be set like the following:
|
||||
|
||||
```yaml
|
||||
gitea:
|
||||
admin:
|
||||
passwordMode: initialOnlyRequireReset
|
||||
```
|
||||
|
||||
### LDAP Settings
|
||||
|
||||
Like the admin user the LDAP settings can be updated.
|
||||
@ -985,22 +999,23 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
|
||||
|
||||
### Gitea
|
||||
|
||||
| Name | Description | Value |
|
||||
| -------------------------------------- | ------------------------------------------------------------------------- | -------------------- |
|
||||
| `gitea.admin.username` | Username for the Gitea admin user | `gitea_admin` |
|
||||
| `gitea.admin.existingSecret` | Use an existing secret to store admin user credentials | `nil` |
|
||||
| `gitea.admin.password` | Password for the Gitea admin user | `r8sA8CPHD9!bt6d` |
|
||||
| `gitea.admin.email` | Email for the Gitea admin user | `gitea@local.domain` |
|
||||
| `gitea.metrics.enabled` | Enable Gitea metrics | `false` |
|
||||
| `gitea.metrics.serviceMonitor.enabled` | Enable Gitea metrics service monitor | `false` |
|
||||
| `gitea.ldap` | LDAP configuration | `[]` |
|
||||
| `gitea.oauth` | OAuth configuration | `[]` |
|
||||
| `gitea.config.server.SSH_PORT` | SSH port for rootlful Gitea image | `22` |
|
||||
| `gitea.config.server.SSH_LISTEN_PORT` | SSH port for rootless Gitea image | `2222` |
|
||||
| `gitea.additionalConfigSources` | Additional configuration from secret or configmap | `[]` |
|
||||
| `gitea.additionalConfigFromEnvs` | Additional configuration sources from environment variables | `[]` |
|
||||
| `gitea.podAnnotations` | Annotations for the Gitea pod | `{}` |
|
||||
| `gitea.ssh.logLevel` | Configure OpenSSH's log level. Only available for root-based Gitea image. | `INFO` |
|
||||
| Name | Description | Value |
|
||||
| -------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | -------------------- |
|
||||
| `gitea.admin.username` | Username for the Gitea admin user | `gitea_admin` |
|
||||
| `gitea.admin.existingSecret` | Use an existing secret to store admin user credentials | `nil` |
|
||||
| `gitea.admin.password` | Password for the Gitea admin user | `r8sA8CPHD9!bt6d` |
|
||||
| `gitea.admin.email` | Email for the Gitea admin user | `gitea@local.domain` |
|
||||
| `gitea.admin.passwordMode` | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated | `keepUpdated` |
|
||||
| `gitea.metrics.enabled` | Enable Gitea metrics | `false` |
|
||||
| `gitea.metrics.serviceMonitor.enabled` | Enable Gitea metrics service monitor | `false` |
|
||||
| `gitea.ldap` | LDAP configuration | `[]` |
|
||||
| `gitea.oauth` | OAuth configuration | `[]` |
|
||||
| `gitea.config.server.SSH_PORT` | SSH port for rootlful Gitea image | `22` |
|
||||
| `gitea.config.server.SSH_LISTEN_PORT` | SSH port for rootless Gitea image | `2222` |
|
||||
| `gitea.additionalConfigSources` | Additional configuration from secret or configmap | `[]` |
|
||||
| `gitea.additionalConfigFromEnvs` | Additional configuration sources from environment variables | `[]` |
|
||||
| `gitea.podAnnotations` | Annotations for the Gitea pod | `{}` |
|
||||
| `gitea.ssh.logLevel` | Configure OpenSSH's log level. Only available for root-based Gitea image. | `INFO` |
|
||||
|
||||
### LivenessProbe
|
||||
|
||||
|
||||
@ -400,3 +400,11 @@ https
|
||||
{{- define "gitea.serviceAccountName" -}}
|
||||
{{ .Values.serviceAccount.name | default (include "gitea.fullname" .) }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "gitea.admin.passwordMode" -}}
|
||||
{{- if has .Values.gitea.admin.passwordMode (tuple "keepUpdated" "initialOnlyNoReset" "initialOnlyRequireReset") -}}
|
||||
{{ .Values.gitea.admin.passwordMode }}
|
||||
{{- else -}}
|
||||
{{ printf "gitea.admin.passwordMode must be set to one of 'keepUpdated', 'initialOnlyNoReset', or 'initialOnlyRequireReset'. Received: '%s'" .Values.gitea.admin.passwordMode | fail }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
@ -243,6 +243,8 @@ spec:
|
||||
- name: GITEA_ADMIN_PASSWORD
|
||||
value: {{ .Values.gitea.admin.password | quote }}
|
||||
{{- end }}
|
||||
- name: GITEA_ADMIN_PASSWORD_MODE
|
||||
value: {{ include "gitea.admin.passwordMode" $ }}
|
||||
{{- if .Values.deployment.env }}
|
||||
{{- toYaml .Values.deployment.env | nindent 12 }}
|
||||
{{- end }}
|
||||
|
||||
@ -109,13 +109,33 @@ stringData:
|
||||
|
||||
local ACCOUNT_ID=$(echo "${actual_user_table}" | grep -E "\s+${GITEA_ADMIN_USERNAME}\s+" | awk -F " " "{printf \$1}")
|
||||
if [[ -z "${ACCOUNT_ID}" ]]; then
|
||||
local -a create_args
|
||||
create_args=(--admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }})
|
||||
if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = initialOnlyRequireReset ]]; then
|
||||
create_args+=(--must-change-password=true)
|
||||
else
|
||||
create_args+=(--must-change-password=false)
|
||||
fi
|
||||
echo "No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now..."
|
||||
gitea admin user create --admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }} --must-change-password=false
|
||||
gitea admin user create "${create_args[@]}"
|
||||
echo '...created.'
|
||||
else
|
||||
echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
|
||||
gitea admin user change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}"
|
||||
echo '...password sync done.'
|
||||
if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = keepUpdated ]]; then
|
||||
echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
|
||||
# See https://gitea.com/gitea/helm-chart/issues/673
|
||||
# --must-change-password argument was added to change-password, defaulting to true, counter to the previous behavior
|
||||
# which acted as if it were provided with =false. If the argument is present in this version of gitea, then we
|
||||
# should add it to prevent requiring frequent admin password resets.
|
||||
local -a change_args
|
||||
change_args=(--username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}")
|
||||
if gitea admin user change-password --help | grep -qF -- '--must-change-password'; then
|
||||
change_args+=(--must-change-password=false)
|
||||
fi
|
||||
gitea admin user change-password "${change_args[@]}"
|
||||
echo '...password sync done.'
|
||||
else
|
||||
echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist, but update mode is set to '${GITEA_ADMIN_PASSWORD_MODE}'. Skipping."
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@ -342,12 +342,14 @@ gitea:
|
||||
## @param gitea.admin.existingSecret Use an existing secret to store admin user credentials
|
||||
## @param gitea.admin.password Password for the Gitea admin user
|
||||
## @param gitea.admin.email Email for the Gitea admin user
|
||||
## @param gitea.admin.passwordMode Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated
|
||||
admin:
|
||||
# existingSecret: gitea-admin-secret
|
||||
existingSecret:
|
||||
username: gitea_admin
|
||||
password: r8sA8CPHD9!bt6d
|
||||
email: "gitea@local.domain"
|
||||
passwordMode: keepUpdated
|
||||
|
||||
## @param gitea.metrics.enabled Enable Gitea metrics
|
||||
## @param gitea.metrics.serviceMonitor.enabled Enable Gitea metrics service monitor
|
||||
|
||||
Loading…
Reference in New Issue
Block a user