matthew/helm-chart
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Rework OAuth sources (#244)

Browse Source 
This change request includes two different things to improve OAuth source handling:

- Allow multiple OAuth source configuration (Fixes: #191)
- Support reading sensitive OAuth configuration data from Kubernetes secrets (Closes: #242)

⚠️ BREAKING ⚠️
---

Users need to migrate their `gitea.oauth` configuration.

Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/244
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: justusbunsi <justusbunsi@noreply.gitea.io>
Co-committed-by: justusbunsi <justusbunsi@noreply.gitea.io>
This commit is contained in:
justusbunsi 2021-12-20 22:43:55 +08:00 committed by luhahn
parent cd09ccfcdb
commit 6d9362ed39
5 changed files with 95 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
README.md
View File

@ -87,6 +87,13 @@ gitea:
podAnnotations: {} podAnnotations: {}
``` ```
### Multiple OAuth authentication sources
With `5.0.0` of this Chart it is now possible to configure Gitea with multiple
OAuth sources. As a result, you need to update an existing OAuth configuration
in your customized `values.yaml` by replacing the object with settings to a list
of settings objects. See [OAuth2 Settings](#oauth-settings) section for details.
## Chart upgrade from 3.x.x to 4.0.0 ## Chart upgrade from 3.x.x to 4.0.0
:warning: The most recent `4.0.0` update brings some breaking changes. Please note :warning: The most recent `4.0.0` update brings some breaking changes. Please note
@ -521,20 +528,42 @@ deleted. Deleting OAuth2 settings has to be done in the ui. All OAuth2 values,
which are documented [here](https://docs.gitea.io/en-us/command-line/#admin), are which are documented [here](https://docs.gitea.io/en-us/command-line/#admin), are
available. available.
Multiple OAuth2 sources can be configured with additional OAuth list items.
```yaml ```yaml
gitea: gitea:
oauth: oauth:
enabled: true - name: 'MyAwesomeGiteaOAuth'
name: 'MyAwesomeGiteaOAuth' provider: 'openidConnect'
provider: 'openidConnect' key: 'hello'
key: 'hello' secret: 'world'
secret: 'world' autoDiscoverUrl: 'https://gitea.example.com/.well-known/openid-configuration'
autoDiscoverUrl: 'https://gitea.example.com/.well-known/openid-configuration' #useCustomUrls:
#useCustomUrls: #customAuthUrl:
#customAuthUrl: #customTokenUrl:
#customTokenUrl: #customProfileUrl:
#customProfileUrl: #customEmailUrl:
#customEmailUrl: ```
You can also use an existing secret to set the `key` and `secret`:
```yaml
apiVersion: v1
kind: Secret
metadata:
name: gitea-oauth-secret
type: Opaque
stringData:
key: hello
secret: world
```
```yaml
gitea:
oauth:
- name: 'MyAwesomeGiteaOAuth'
existingSecret: gitea-oauth-secret
...
``` ```
### Metrics and profiling ### Metrics and profiling

17
templates/_helpers.tpl
View File

@ -138,9 +138,20 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}} {{- end -}}
{{- define "gitea.oauth_settings" -}} {{- define "gitea.oauth_settings" -}}
{{- range $key, $val := .Values.gitea.oauth -}} {{- $idx := index . 0 }}
{{- if ne $key "enabled" -}} {{- $values := index . 1 }}
{{- printf "--%s %s " ($key | kebabcase) ($val | squote) -}}
{{- if not (hasKey $values "key") -}}
{{- $_ := set $values "key" (printf "${GITEA_OAUTH_KEY_%d}" $idx) -}}
{{- end -}}
{{- if not (hasKey $values "secret") -}}
{{- $_ := set $values "secret" (printf "${GITEA_OAUTH_SECRET_%d}" $idx) -}}
{{- end -}}
{{- range $key, $val := $values -}}
{{- if and (ne $key "enabled") (ne $key "existingSecret") -}}
{{- printf "--%s %s " ($key | kebabcase) ($val | quote) -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}

14
templates/gitea/init.yaml
View File

@ -104,23 +104,27 @@ stringData:
configure_ldap configure_ldap
{{- if .Values.gitea.oauth.enabled }}
function configure_oauth() { function configure_oauth() {
local OAUTH_NAME={{ (printf "%s" .Values.gitea.oauth.name) | squote }} {{- if .Values.gitea.oauth }}
{{- range $idx, $value := .Values.gitea.oauth }}
local OAUTH_NAME={{ (printf "%s" $value.name) | squote }}
local AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " " "{print \$1}") local AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " " "{print \$1}")
if [[ -z "${AUTH_ID}" ]]; then if [[ -z "${AUTH_ID}" ]]; then
echo "No oauth configuration found with name '${OAUTH_NAME}'. Installing it now..." echo "No oauth configuration found with name '${OAUTH_NAME}'. Installing it now..."
gitea admin auth add-oauth {{- include "gitea.oauth_settings" . | indent 1 }} gitea admin auth add-oauth {{- include "gitea.oauth_settings" (list $idx $value) | indent 1 }}
echo '...installed.' echo '...installed.'
else else
echo "Existing oauth configuration with name '${OAUTH_NAME}': '${AUTH_ID}'. Running update to sync settings..." echo "Existing oauth configuration with name '${OAUTH_NAME}': '${AUTH_ID}'. Running update to sync settings..."
gitea admin auth update-oauth --id "${AUTH_ID}" {{- include "gitea.oauth_settings" . | indent 1 }} gitea admin auth update-oauth --id "${AUTH_ID}" {{- include "gitea.oauth_settings" (list $idx $value) | indent 1 }}
echo '...sync settings done.' echo '...sync settings done.'
fi fi
{{- end }}
{{- else }}
echo 'no oauth configuration... skipping.'
{{- end }}
} }
configure_oauth configure_oauth
{{- end }}
echo '==== END GITEA CONFIGURATION ====' echo '==== END GITEA CONFIGURATION ===='

20
templates/gitea/statefulset.yaml
View File

@ -20,7 +20,9 @@ spec:
{{- range $idx, $value := .Values.gitea.ldap }} {{- range $idx, $value := .Values.gitea.ldap }}
checksum/ldap_{{ $idx }}: {{ include "gitea.ldap_settings" (list $idx $value) | sha256sum }} checksum/ldap_{{ $idx }}: {{ include "gitea.ldap_settings" (list $idx $value) | sha256sum }}
{{- end }} {{- end }}
checksum/oauth: {{ include "gitea.oauth_settings" . | sha256sum }} {{- range $idx, $value := .Values.gitea.oauth }}
checksum/oauth_{{ $idx }}: {{ include "gitea.oauth_settings" (list $idx $value) | sha256sum }}
{{- end }}
{{- with .Values.gitea.podAnnotations }} {{- with .Values.gitea.podAnnotations }}
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}
{{- end }} {{- end }}
@ -140,6 +142,22 @@ spec:
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if .Values.gitea.oauth }}
{{- range $idx, $value := .Values.gitea.oauth }}
{{- if $value.existingSecret }}
- name: GITEA_OAUTH_KEY_{{ $idx }}
valueFrom:
secretKeyRef:
key: key
name: {{ $value.existingSecret }}
- name: GITEA_OAUTH_SECRET_{{ $idx }}
valueFrom:
secretKeyRef:
key: secret
name: {{ $value.existingSecret }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.gitea.admin.existingSecret }} {{- if .Values.gitea.admin.existingSecret }}
- name: GITEA_ADMIN_USERNAME - name: GITEA_ADMIN_USERNAME
valueFrom: valueFrom:

25
values.yaml
View File

@ -181,18 +181,19 @@ gitea:
# usernameAttribute: # usernameAttribute:
# publicSSHKeyAttribute: # publicSSHKeyAttribute:
oauth: # Either specify inline `key` and `secret` or refer to them via `existingSecret`
enabled: false oauth: []
#name: # - name: 'OAuth 1'
#provider: # provider:
#key: # key:
#secret: # secret:
#autoDiscoverUrl: # existingSecret:
#useCustomUrls: # autoDiscoverUrl:
#customAuthUrl: # useCustomUrls:
#customTokenUrl: # customAuthUrl:
#customProfileUrl: # customTokenUrl:
#customEmailUrl: # customProfileUrl:
# customEmailUrl:
config: {} config: {}
# APP_NAME: "Gitea: Git with a cup of tea" # APP_NAME: "Gitea: Git with a cup of tea"