matthew/helm-chart
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Rewrite init script (#178)

Browse Source 
These changes rewrite the init script to be error aware, informative and have a bit more security awareness.

During rewrite several hidden bugs could be identified and fixed, such as:

- LDAP configuration options interpreted by the shell before passed to command
- Finding multiple ldap ids instead of one during lookup when their names are almost identical
e.g. `_my-ldap-auth` and `my-ldap-auth`
- Properly filter auth sources by their types to prevent unintended type converting attempts that fail

In addition to that the script is a bit cleaner. Some commands do not exist anymore and would cause false-positive errors during script execution.

Helps for: #149

Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/178
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: justusbunsi <justusbunsi@noreply.gitea.io>
Co-committed-by: justusbunsi <justusbunsi@noreply.gitea.io>
This commit is contained in:
justusbunsi 2021-06-30 04:09:16 +08:00 committed by techknowlogick
parent 6a6eb35106
commit 9059229acb
4 changed files with 130 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -356,6 +356,14 @@ gitea:
existingSecret: gitea-ldap-secret
```
:warning: Some options are just flags and therefore don't any values. If they are defined in `gitea.ldap` configuration, they will be passed to the gitea cli without any value. Affected options:
- notActive | not-active
- skipTlsVerify | skip-tls-verify
- allowDeactivateAll | allow-deactivate-all
- synchronizeUsers | synchronize-users
- attributesInBind | attributes-in-bind
### OAuth2 Settings
Like the admin user, OAuth2 settings can be updated and disabled but not deleted. Deleting OAuth2 settings has to be done in the ui.

7
templates/_helpers.tpl
View File

@ -116,6 +116,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- $_ := set .Values.gitea.ldap "bindPassword" "" -}}
{{- end -}}
{{- $flags := list "not-active" "skip-tls-verify" "allow-deactivate-all" "synchronize-users" "attributes-in-bind" -}}
{{- range $key, $val := .Values.gitea.ldap -}}
{{- if and (ne $key "enabled") (ne $key "existingSecret") -}}
{{- if eq ($key | kebabcase) "bind-dn" -}}
@ -124,8 +125,10 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- printf "--%s %s " ($key | kebabcase) ("${GITEA_LDAP_PASSWORD}" | quote ) -}}
{{- else if eq $key "port" -}}
{{- printf "--%s %d " ($key | kebabcase) ($val | int) -}}
{{- else if (has ($key | kebabcase) $flags) -}}
{{- printf "--%s " ($key | kebabcase) -}}
{{- else -}}
{{- printf "--%s %s " ($key | kebabcase) ($val | quote) -}}
{{- printf "--%s %s " ($key | kebabcase) ($val | squote) -}}
{{- end -}}
{{- end -}}
{{- end -}}
@ -134,7 +137,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- define "gitea.oauth_settings" -}}
{{- range $key, $val := .Values.gitea.oauth -}}
{{- if ne $key "enabled" -}}
{{- printf "--%s %s " ($key | kebabcase) ($val | quote) -}}
{{- printf "--%s %s " ($key | kebabcase) ($val | squote) -}}
{{- end -}}
{{- end -}}
{{- end -}}

121
templates/gitea/init.yaml
View File

@ -6,8 +6,11 @@ metadata:
{{- include "gitea.labels" . | nindent 4 }}
type: Opaque
stringData:
init_gitea.sh: |-
#!/bin/bash
init_directory_structure.sh: |-
#!/usr/bin/env bash
set -euo pipefail
{{- if .Values.initPreScript }}
# BEGIN: initPreScript
{{- with .Values.initPreScript -}}
@ -16,6 +19,8 @@ stringData:
# END: initPreScript
{{- end }}
set -x
{{- if not .Values.image.rootless }}
chown 1000:1000 /data
{{- end }}
@ -31,44 +36,90 @@ stringData:
# Copy config file to writable volume
cp /etc/gitea/conf/app.ini /data/gitea/conf/app.ini
chmod a+rwx /data/gitea/conf/app.ini
configure_gitea.sh: |-
#!/usr/bin/env bash
set -euo pipefail
{{- if include "db.servicename" . }}
# Wait for database to become avialble
nc -v -w2 -z {{ include "db.servicename" . }} {{ include "db.port" . }} && \
# Connection retry inspired by https://gist.github.com/dublx/e99ea94858c07d2ca6de
function test_db_connection() {
local RETRY=0
local MAX=30
echo 'Wait for database to become avialable...'
until [ "${RETRY}" -ge "${MAX}" ]; do
nc -vz -w2 {{ include "db.servicename" . }} {{ include "db.port" . }} && break
RETRY=$[${RETRY}+1]
echo "...not ready yet (${RETRY}/${MAX})"
done
if [ "${RETRY}" -ge "${MAX}" ]; then
echo "Database not reachable after '${MAX}' attempts!"
exit 1
fi
}
test_db_connection
{{- end }}
{{- if not .Values.image.rootless }}
su git -c ' \
{{- end }}
set -x; \
gitea migrate; \
echo '==== BEGIN GITEA CONFIGURATION ===='
gitea migrate
{{- if or .Values.gitea.admin.existingSecret (and .Values.gitea.admin.username .Values.gitea.admin.password) }}
gitea admin create-user --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email }} --admin --must-change-password=false \
|| \
gitea admin change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" \
|| \
gitea admin user create --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email }} --admin --must-change-password=false \
|| \
gitea admin user change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}"; \
function configure_admin_user() {
local ACCOUNT_ID=$(gitea admin user list --admin | grep -e "\s\+${GITEA_ADMIN_USERNAME}\s\+" | awk -F " " "{printf \$1}")
if [[ -z "${ACCOUNT_ID}" ]]; then
echo "No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now..."
gitea admin user create --admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }} --must-change-password=false
echo '...created.'
else
echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
gitea admin user change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}"
echo '...password sync done.'
fi
}
configure_admin_user
{{- end }}
{{- if .Values.gitea.ldap.enabled }}
gitea admin auth add-ldap \
{{- include "gitea.ldap_settings" . | nindent 6 }} \
|| \
( \
export GITEA_AUTH_ID=$(gitea admin auth list | grep {{ .Values.gitea.ldap.name | quote }} | awk -F " " "{print \$1}"); \
gitea admin auth update-ldap --id ${GITEA_AUTH_ID} \
{{- include "gitea.ldap_settings" . | nindent 6 }} \
) \
function configure_ldap() {
local LDAP_NAME={{ (printf "%s" .Values.gitea.ldap.name) | squote }}
local GITEA_AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${LDAP_NAME}\s+\|" | grep -iE '\|LDAP \(via BindDN\)\s+\|' | awk -F " " "{print \$1}")
if [[ -z "${GITEA_AUTH_ID}" ]]; then
echo "No ldap configuration found with name '${LDAP_NAME}'. Installing it now..."
gitea admin auth add-ldap {{- include "gitea.ldap_settings" . | indent 1 }}
echo '...installed.'
else
echo "Existing ldap configuration with name '${LDAP_NAME}': '${GITEA_AUTH_ID}'. Running update to sync settings..."
gitea admin auth update-ldap --id "${GITEA_AUTH_ID}" {{- include "gitea.ldap_settings" . | indent 1 }}
echo '...sync settings done.'
fi
}
configure_ldap
{{- end }}
{{- if .Values.gitea.oauth.enabled }}
gitea admin auth add-oauth \
{{- include "gitea.oauth_settings" . | nindent 6 }} \
|| \
( \
export GITEA_AUTH_ID=$(gitea admin auth list | grep {{ .Values.gitea.oauth.name | quote }} | awk -F " " "{print \$1}"); \
gitea admin auth update-oauth --id ${GITEA_AUTH_ID} \
{{- include "gitea.oauth_settings" . | nindent 6 }} \
) \
{{- end }}
{{- if not .Values.image.rootless }}
'
function configure_oauth() {
local OAUTH_NAME={{ (printf "%s" .Values.gitea.oauth.name) | squote }}
local AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " " "{print \$1}")
if [[ -z "${AUTH_ID}" ]]; then
echo "No oauth configuration found with name '${OAUTH_NAME}'. Installing it now..."
gitea admin auth add-oauth {{- include "gitea.oauth_settings" . | indent 1 }}
echo '...installed.'
else
echo "Existing oauth configuration with name '${OAUTH_NAME}': '${AUTH_ID}'. Running update to sync settings..."
gitea admin auth update-oauth --id "${AUTH_ID}" {{- include "gitea.oauth_settings" . | indent 1 }}
echo '...sync settings done.'
fi
}
configure_oauth
{{- end }}
echo '==== END GITEA CONFIGURATION ===='

35
templates/gitea/statefulset.yaml
View File

@ -38,9 +38,38 @@ spec:
securityContext:
fsGroup: 1000
initContainers:
- name: init
- name: init-directories
image: "{{ include "gitea.image" . }}"
command: ["/usr/sbin/init_gitea.sh"]
command: ["/usr/sbin/init_directory_structure.sh"]
env:
- name: GITEA_APP_INI
value: /data/gitea/conf/app.ini
- name: GITEA_CUSTOM
value: /data/gitea
- name: GITEA_WORK_DIR
value: /data
- name: GITEA_TEMP
value: /tmp/gitea
{{- if .Values.statefulset.env }}
{{- toYaml .Values.statefulset.env | nindent 12 }}
{{- end }}
volumeMounts:
- name: init
mountPath: /usr/sbin
- name: temp
mountPath: /tmp
- name: config
mountPath: /etc/gitea/conf
- name: data
mountPath: /data
{{- if .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
{{- end }}
- name: configure-gitea
image: "{{ include "gitea.image" . }}"
command: ["/usr/sbin/configure_gitea.sh"]
securityContext:
runAsUser: 1000
env:
- name: GITEA_APP_INI
value: /data/gitea/conf/app.ini
@ -92,8 +121,6 @@ spec:
mountPath: /usr/sbin
- name: temp
mountPath: /tmp
- name: config
mountPath: /etc/gitea/conf
- name: data
mountPath: /data
{{- if .Values.extraVolumeMounts }}