Rework OAuth sources (#244)

This change request includes two different things to improve OAuth source handling: - Allow multiple OAuth source configuration (Fixes: #191) - Support reading sensitive OAuth configuration data from Kubernetes secrets (Closes: #242) ⚠️ BREAKING ⚠️ --- Users need to migrate their `gitea.oauth` configuration. Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/244 Reviewed-by: luhahn <luhahn@noreply.gitea.io> Reviewed-by: Andrew Thornton <art27@cantab.net> Co-authored-by: justusbunsi <justusbunsi@noreply.gitea.io> Co-committed-by: justusbunsi <justusbunsi@noreply.gitea.io>
2021-12-20 22:43:55 +08:00 · 2021-12-20 22:43:55 +08:00 · 6d9362ed39
commit 6d9362ed39
parent cd09ccfcdb
5 changed files with 95 additions and 32 deletions
--- a/README.md
+++ b/README.md
@ -87,6 +87,13 @@ gitea:
  podAnnotations: {}
 ```

+### Multiple OAuth authentication sources
+
+With `5.0.0` of this Chart it is now possible to configure Gitea with multiple
+OAuth sources. As a result, you need to update an existing OAuth configuration
+in your customized `values.yaml` by replacing the object with settings to a list
+of settings objects. See [OAuth2 Settings](#oauth-settings) section for details.
+
 ## Chart upgrade from 3.x.x to 4.0.0

 :warning: The most recent `4.0.0` update brings some breaking changes. Please note
@ -521,20 +528,42 @@ deleted. Deleting OAuth2 settings has to be done in the ui. All OAuth2 values,
 which are documented [here](https://docs.gitea.io/en-us/command-line/#admin), are
 available.

+Multiple OAuth2 sources can be configured with additional OAuth list items.
+
 ```yaml
 gitea:
  oauth:
-    enabled: true
-    name: 'MyAwesomeGiteaOAuth'
-    provider: 'openidConnect'
-    key: 'hello'
-    secret: 'world'
-    autoDiscoverUrl: 'https://gitea.example.com/.well-known/openid-configuration'
-    #useCustomUrls:
-    #customAuthUrl:
-    #customTokenUrl:
-    #customProfileUrl:
-    #customEmailUrl:
+    - name: 'MyAwesomeGiteaOAuth'
+      provider: 'openidConnect'
+      key: 'hello'
+      secret: 'world'
+      autoDiscoverUrl: 'https://gitea.example.com/.well-known/openid-configuration'
+      #useCustomUrls:
+      #customAuthUrl:
+      #customTokenUrl:
+      #customProfileUrl:
+      #customEmailUrl:
+```
+
+You can also use an existing secret to set the `key` and `secret`:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-oauth-secret
+type: Opaque
+stringData:
+  key: hello
+  secret: world
+```
+
+```yaml
+gitea:
+  oauth:
+    - name: 'MyAwesomeGiteaOAuth'
+      existingSecret: gitea-oauth-secret
+        ...
 ```

 ### Metrics and profiling
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@ -138,9 +138,20 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}

 {{- define "gitea.oauth_settings" -}}
-{{- range $key, $val := .Values.gitea.oauth -}}
-{{- if ne $key "enabled" -}}
-{{- printf "--%s %s " ($key | kebabcase) ($val | squote) -}}
+{{- $idx := index . 0 }}
+{{- $values := index . 1 }}
+
+{{- if not (hasKey $values "key") -}}
+{{- $_ := set $values "key" (printf "${GITEA_OAUTH_KEY_%d}" $idx) -}}
+{{- end -}}
+
+{{- if not (hasKey $values "secret") -}}
+{{- $_ := set $values "secret" (printf "${GITEA_OAUTH_SECRET_%d}" $idx) -}}
+{{- end -}}
+
+{{- range $key, $val := $values -}}
+{{- if and (ne $key "enabled") (ne $key "existingSecret") -}}
+{{- printf "--%s %s " ($key | kebabcase) ($val | quote) -}}
 {{- end -}}
 {{- end -}}
 {{- end -}}
--- a/templates/gitea/init.yaml
+++ b/templates/gitea/init.yaml
@ -104,23 +104,27 @@ stringData:

    configure_ldap

-    {{- if .Values.gitea.oauth.enabled }}
    function configure_oauth() {
-      local OAUTH_NAME={{ (printf "%s" .Values.gitea.oauth.name) | squote }}
+      {{- if .Values.gitea.oauth }}
+      {{- range $idx, $value := .Values.gitea.oauth }}
+      local OAUTH_NAME={{ (printf "%s" $value.name) | squote }}
      local AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " "  "{print \$1}")

      if [[ -z "${AUTH_ID}" ]]; then
        echo "No oauth configuration found with name '${OAUTH_NAME}'. Installing it now..."
-        gitea admin auth add-oauth {{- include "gitea.oauth_settings" . | indent 1 }}
+        gitea admin auth add-oauth {{- include "gitea.oauth_settings" (list $idx $value) | indent 1 }}
        echo '...installed.'
      else
        echo "Existing oauth configuration with name '${OAUTH_NAME}': '${AUTH_ID}'. Running update to sync settings..."
-        gitea admin auth update-oauth --id "${AUTH_ID}" {{- include "gitea.oauth_settings" . | indent 1 }}
+        gitea admin auth update-oauth --id "${AUTH_ID}" {{- include "gitea.oauth_settings" (list $idx $value) | indent 1 }}
        echo '...sync settings done.'
      fi
+      {{- end }}
+      {{- else }}
+        echo 'no oauth configuration... skipping.'
+      {{- end }}
    }

    configure_oauth
-    {{- end }}

    echo '==== END GITEA CONFIGURATION ===='
--- a/templates/gitea/statefulset.yaml
+++ b/templates/gitea/statefulset.yaml
@ -20,7 +20,9 @@ spec:
        {{- range $idx, $value := .Values.gitea.ldap }}
        checksum/ldap_{{ $idx }}: {{ include "gitea.ldap_settings" (list $idx $value) | sha256sum }}
        {{- end }}
-        checksum/oauth: {{ include "gitea.oauth_settings" . | sha256sum }}
+        {{- range $idx, $value := .Values.gitea.oauth }}
+        checksum/oauth_{{ $idx }}: {{ include "gitea.oauth_settings" (list $idx $value) | sha256sum }}
+        {{- end }}
        {{- with .Values.gitea.podAnnotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
@ -140,6 +142,22 @@ spec:
            {{- end }}
            {{- end }}
            {{- end }}
+            {{- if .Values.gitea.oauth }}
+            {{- range $idx, $value := .Values.gitea.oauth }}
+            {{- if $value.existingSecret }}
+            - name: GITEA_OAUTH_KEY_{{ $idx }}
+              valueFrom:
+                secretKeyRef:
+                  key:  key
+                  name: {{ $value.existingSecret }}
+            - name: GITEA_OAUTH_SECRET_{{ $idx }}
+              valueFrom:
+                secretKeyRef:
+                  key:  secret
+                  name: {{ $value.existingSecret }}
+            {{- end }}
+            {{- end }}
+            {{- end }}
            {{- if .Values.gitea.admin.existingSecret }}
            - name: GITEA_ADMIN_USERNAME
              valueFrom:
--- a/values.yaml
+++ b/values.yaml
@ -181,18 +181,19 @@ gitea:
    #  usernameAttribute:
    #  publicSSHKeyAttribute:

-  oauth:
-    enabled: false
-    #name:
-    #provider:
-    #key:
-    #secret:
-    #autoDiscoverUrl:
-    #useCustomUrls:
-    #customAuthUrl:
-    #customTokenUrl:
-    #customProfileUrl:
-    #customEmailUrl:
+  # Either specify inline `key` and `secret` or refer to them via `existingSecret`
+  oauth: []
+    # - name: 'OAuth 1'
+    #   provider:
+    #   key:
+    #   secret:
+    #   existingSecret:
+    #   autoDiscoverUrl:
+    #   useCustomUrls:
+    #   customAuthUrl:
+    #   customTokenUrl:
+    #   customProfileUrl:
+    #   customEmailUrl:

  config: {}
  #  APP_NAME: "Gitea: Git with a cup of tea"