feat: enable admin user password creation/update mode in values

fixes #673
This enables sane modes for forcing reset, as well as providing more
options to users of the chart by giving them the flexibility to set the
mode for password creation/modification as part of init whether the user
exists or not.

README.md

@@ -985,11 +985,12 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
 ### Gitea
 
 | Name                                   | Description                                                                                                                   | Value                |
-| -------------------------------------- | ------------------------------------------------------------------------- | -------------------- |
+| -------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | -------------------- |
 | `gitea.admin.username`                 | Username for the Gitea admin user                                                                                             | `gitea_admin`        |
 | `gitea.admin.existingSecret`           | Use an existing secret to store admin user credentials                                                                        | `nil`                |
 | `gitea.admin.password`                 | Password for the Gitea admin user                                                                                             | `r8sA8CPHD9!bt6d`    |
 | `gitea.admin.email`                    | Email for the Gitea admin user                                                                                                | `gitea@local.domain` |
+| `gitea.admin.passwordMode`             | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated | `keepUpdated`        |
 | `gitea.metrics.enabled`                | Enable Gitea metrics                                                                                                          | `false`              |
 | `gitea.metrics.serviceMonitor.enabled` | Enable Gitea metrics service monitor                                                                                          | `false`              |
 | `gitea.ldap`                           | LDAP configuration                                                                                                            | `[]`                 |

templates/gitea/deployment.yaml

@@ -243,6 +243,8 @@ spec:
             - name: GITEA_ADMIN_PASSWORD
               value: {{ .Values.gitea.admin.password | quote }}
             {{- end }}
+            - name: GITEA_ADMIN_PASSWORD_MODE
+              value: {{ .Values.gitea.admin.passwordMode }}
             {{- if .Values.deployment.env }}
             {{- toYaml .Values.deployment.env | nindent 12 }}
             {{- end }}

templates/gitea/init.yaml

@@ -109,13 +109,24 @@ stringData:
 
       local ACCOUNT_ID=$(echo "${actual_user_table}" | grep -E "\s+${GITEA_ADMIN_USERNAME}\s+" | awk -F " " "{printf \$1}")
       if [[ -z "${ACCOUNT_ID}" ]]; then
+        local -a create_args
+        create_args=(--admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }})
+        if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = initialOnlyRequireReset ]]; then
+          create_args+=(--must-change-password=true)
+        else
+          create_args+=(--must-change-password=false)
+        fi
         echo "No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now..."
-        gitea admin user create --admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }} --must-change-password=false
+        gitea admin user create "${create_args[@]}"
         echo '...created.'
       else
+        if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = keepUpdated ]]; then
           echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
-        gitea admin user change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}"
+          gitea admin user change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --must-change-password=false
           echo '...password sync done.'
+        else
+          echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist, but update mode is set to '${GITEA_ADMIN_PASSWORD_MODE}'. Skipping."
+        fi
       fi
     }
 

values.schema.json

@@ -0,0 +1,26 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema",
+  "properties": {
+    "gitea": {
+      "type": "object",
+      "properties": {
+        "admin": {
+          "type": "object",
+          "required": [
+            "passwordMode"
+          ],
+          "properties": {
+            "passwordMode": {
+              "type": "string",
+              "enum": [
+                "initialOnlyNoReset",
+                "initialOnlyRequireReset",
+                "keepUpdated"
+              ]
+            }
+          }
+        }
+      }
+    }
+  }
+}

values.yaml

@@ -342,12 +342,14 @@ gitea:
   ## @param gitea.admin.existingSecret Use an existing secret to store admin user credentials
   ## @param gitea.admin.password Password for the Gitea admin user
   ## @param gitea.admin.email Email for the Gitea admin user
+  ## @param gitea.admin.passwordMode Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated
   admin:
     # existingSecret: gitea-admin-secret
     existingSecret:
     username: gitea_admin
     password: r8sA8CPHD9!bt6d
     email: "gitea@local.domain"
+    passwordMode: keepUpdated
 
   ## @param gitea.metrics.enabled Enable Gitea metrics
   ## @param gitea.metrics.serviceMonitor.enabled Enable Gitea metrics service monitor