Commit Graph

287 Commits

Author SHA1 Message Date
nmasse-itix
bef0cea1b1 split the securityContext in two: pod and container securityContext (#259)
Hello !

I'm using the new Helm chart (5.x) and I really like the new configuration mechanism. 👍

I would like to contribute the following enhancement.

## The problem I want to solve

I'm trying to deploy Gitea in a Kubernetes shared platform and I need to make sure each instance is running as a different user so that in case of container escape, the risk of data leak is minimized.

Additionally, on my platform (OpenShift), arbitrary users (such as uid 1000 for Gitea) are not allowed.

The current helm chart does not allow me to achieve this because:
- the container security context is configurable only for the main container. The security context of init containers cannot be specified.
- a fixed uid is hard coded
- a fixed fs group is hard coded

Also, the securityContext of a pod and the securityContext of a container do not accept the same options.

- https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#podsecuritycontext-v1-core
- https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#securitycontext-v1-core

## How I'm solving the problem

I split the `securityContext` (values.yaml) in two: `containerSecurityContext` and `podSecurityContext`. The containerSecurityContext applies to all containers (init and main) in order to be consistent with file permissions.

The behavior for existing deployments is unchanged:

- fsGroup 1000 is the default value for the podSecurityContext variable
- the "configure-gitea" init container uses the uid 1000 unless otherwise stated in the containerSecurityContext
- the main container is using the existing securityContext variable when defined in order not to break existing deployments and uses the new containerSecurityContext variable if not.

This approach is well tested: it is used consistently on bitnami's Helm charts.

## How I tested

I tested both root and rootless variants on a Kubernetes 1.22, as well as rootless variant on OpenShift 4.7.

**rootless variant on Kubernetes**:

```yaml
podSecurityContext:
  fsGroup: 10001

containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL
    add:
      - SYS_CHROOT
  privileged: false
  runAsGroup: 10001
  runAsNonRoot: true
  runAsUser: 10001

extraVolumes:
- name: var-lib-gitea
  emptyDir: {}

extraVolumeMounts:
- name: var-lib-gitea
  readOnly: false
  mountPath: "/var/lib/gitea"
```

**rootless variant on OpenShift**:

```yaml
podSecurityContext:
  fsGroup: null

containerSecurityContext:
  allowPrivilegeEscalation: false
  privileged: false
  runAsNonRoot: true
  runAsUser: 1000790000

extraVolumes:
- name: var-lib-gitea
  emptyDir: {}

extraVolumeMounts:
- name: var-lib-gitea
  readOnly: false
  mountPath: "/var/lib/gitea"
```

Let me know if something is unclear.

Co-authored-by: Nicolas MASSE <nicolas.masse@itix.fr>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/259
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.io>
Co-authored-by: nmasse-itix <nmasse-itix@noreply.gitea.io>
Co-committed-by: nmasse-itix <nmasse-itix@noreply.gitea.io>
2021-12-18 19:10:48 +08:00
justusbunsi
bfa68f6f58 Drop custom probes (#248)
As a replacement, the default probes are now fully configurable and used
as-is during Chart deployment.

Fixes: #189

⚠️ BREAKING ⚠️
---

Users have to remove the `custom` prefix from their probes, if customized.

Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/248
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: justusbunsi <justusbunsi@noreply.gitea.io>
Co-committed-by: justusbunsi <justusbunsi@noreply.gitea.io>
2021-12-13 16:50:08 +08:00
luhahn
0461fa92a9 Rework app.ini generation (#239)
App ini is now generated by environment-to-ini

This should prevent some of the problems we had earlier with persisting the app.ini

Co-authored-by: Lucas Hahn <lucas.hahn@novum-rgi.de>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/239
Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.io>
Reviewed-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: luhahn <luhahn@noreply.gitea.io>
Co-committed-by: luhahn <luhahn@noreply.gitea.io>
2021-11-20 05:15:45 +08:00
Markus Pesch
82763f109b feat/markdownlint (#200)
Hi,
this patch contains a markdownlinter. I think this has the advantage that all users stick to the same format and the `README.md` follows a consistent structure.

The markdownlinter can be configured via the `.markdownlint.yaml` file. All possible options are [here](https://github.com/DavidAnson/markdownlint/blob/main/schema/.markdownlint.yaml) documented.

I have created the initialie configuration. However, can be adapted to suggestions for change. Has of course the consequence that if necessary the `README.md` would have to be adapted. I have formatted this in advance according to the defined rules.

For users which use visual-code as IDE is additionally a plugin [available](https://marketplace.visualstudio.com/items?itemName=DavidAnson.vscode-markdownlint).

Co-authored-by: Markus Pesch <markus.pesch@cryptic.systems>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/200
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Reviewed-by: pat-s <pat-s@noreply.gitea.io>
Co-authored-by: Markus Pesch <volker.raschek@noreply.gitea.io>
Co-committed-by: Markus Pesch <volker.raschek@noreply.gitea.io>
2021-11-05 12:06:48 +08:00
techknowlogick
3fd34a9455 1.15.4 (#230)
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/230
Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.io>
Reviewed-by: pat-s <pat-s@noreply.gitea.io>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-committed-by: techknowlogick <techknowlogick@gitea.io>
2021-10-17 00:08:17 +08:00
luhahn
3273b245e7 Add multiple LDAP sources (#222)
Add multiple add sources.

Instead of a single entry for ldap configuration we now would have a dictionary for ldap config.

This would be a breaking change for those working with the ldap config.

fixes: #190

Co-authored-by: Lucas Hahn <lucas.hahn@novum-rgi.de>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/222
Reviewed-by: Andrew Thornton <art27@cantab.net>
Reviewed-by: pat-s <pat-s@noreply.gitea.io>
Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.io>
Co-authored-by: luhahn <luhahn@noreply.gitea.io>
Co-committed-by: luhahn <luhahn@noreply.gitea.io>
2021-10-08 20:16:24 +08:00
pat-s
b344673d11 Add dev instructions to README (#228)
FYI: My editor automatically changes two trailing whitespaces into a linebreak. I know it's not completely the same but maybe it can be accepted (would make things easier in the long run).
Co-authored-by: pat-s <patrick.schratz@gmail.com>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/228
Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.io>
Reviewed-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: pat-s <pat-s@noreply.gitea.io>
Co-committed-by: pat-s <pat-s@noreply.gitea.io>
2021-09-28 03:52:37 +08:00
techknowlogick
5a7d168c2e 1.15.3 (#225)
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/225
Reviewed-by: pat-s <pat-s@noreply.gitea.io>
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-committed-by: techknowlogick <techknowlogick@gitea.io>
2021-09-26 08:44:59 +08:00
techknowlogick
9a220c2ddd 1.15.0 (#218)
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/218
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-committed-by: techknowlogick <techknowlogick@gitea.io>
2021-09-12 06:40:47 +08:00
wkit23
ce3e9babec Add support for ingressClassName (#217)
Hi,

I just add some minor changes to support specifying ingressClassName to support the newer specification in `networking.k8s.io/v1`. The annotation `kubernetes.io/ingress.class: nginx` only works with older API `networking.k8s.io/v1beta1`.

This is part of our move to support kubernetes 1.22.

Co-authored-by: Leong Wai Kit <waikit.leong@bertelsmann.de>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/217
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: wkit23 <wkit23@noreply.gitea.io>
Co-committed-by: wkit23 <wkit23@noreply.gitea.io>
2021-09-02 10:53:48 +08:00
Michael Kriese
4ef9a3ec35 fix: Only create conf directoy if not exists (#211)
Only create conf directory if not yet exists

fixes #210

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/211
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.io>
Co-authored-by: Michael Kriese <michael.kriese@visualon.de>
Co-committed-by: Michael Kriese <michael.kriese@visualon.de>
2021-08-15 20:43:51 +08:00
techknowlogick
ba0e8b18b5 1.14.6 (#212)
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/212
Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.io>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-committed-by: techknowlogick <techknowlogick@gitea.io>
2021-08-13 04:14:49 +08:00
skriesch
9e7387f0f8 Fix for #203 possible existingClaim at persistence with namespace variable in the name (#204)
Fix for #203

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/204
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: skriesch <skriesch@noreply.gitea.io>
Co-committed-by: skriesch <skriesch@noreply.gitea.io>
2021-07-17 10:47:41 +08:00
luhahn
6342a4dabd Document breaking changes (#202)
Documented some breaking changes. Please have a look and tell me, if I missed something :)

Fixes: #194
Co-authored-by: Lucas Hahn <lucas.hahn@novum-rgi.de>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/202
Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.io>
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: luhahn <luhahn@noreply.gitea.io>
Co-committed-by: luhahn <luhahn@noreply.gitea.io>
2021-07-13 01:33:38 +08:00
justusbunsi
7de326d931 Drop kebab-case configuration notation (#196)
Currently there are two different styles for defining both ldap and oauth configuration in _values.yaml_ file: `camelCase` and `kebab-case`.
Supporting both styles created multiple regressions in the past.

⚠️ BREAKING ⚠️
---------------
These changes completely remove any support for `kebab-case` notation in _values.yaml_ in favor of `camelCase`. Configuration keys must use `camelCase`.
Only exception are Kubernetes resource keys for annotations or labels.

Fixes: #188

Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/196
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: justusbunsi <justusbunsi@noreply.gitea.io>
Co-committed-by: justusbunsi <justusbunsi@noreply.gitea.io>
2021-07-06 13:28:13 +08:00
Markus Pesch
767a073a0a SSH not working due missing security capability in CRI-O environment (#176)
This patch add the SYS_CHROOT capability if the securityContext is
undefined. Otherwise the SSH Server does not work correctly as described
in the issue #161.

Fixes: #161

Co-authored-by: Markus Pesch <markus.pesch@cryptic.systems>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/176
Reviewed-by: techknowlogick <techknowlogick@gitea.io>
Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.io>
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Co-authored-by: Markus Pesch <volker.raschek@noreply.gitea.io>
Co-committed-by: Markus Pesch <volker.raschek@noreply.gitea.io>
2021-07-01 23:02:56 +08:00
justusbunsi
b7dbb22025 Upgrade Gitea to 1.14.3 (#197)
Fixes: #195

Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/197
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Co-authored-by: justusbunsi <justusbunsi@noreply.gitea.io>
Co-committed-by: justusbunsi <justusbunsi@noreply.gitea.io>
2021-06-30 23:25:56 +08:00
justusbunsi
9059229acb Rewrite init script (#178)
These changes rewrite the init script to be error aware, informative and have a bit more security awareness.

During rewrite several hidden bugs could be identified and fixed, such as:

- LDAP configuration options interpreted by the shell before passed to command
- Finding multiple ldap ids instead of one during lookup when their names are almost identical
e.g. `_my-ldap-auth` and `my-ldap-auth`
- Properly filter auth sources by their types to prevent unintended type converting attempts that fail

In addition to that the script is a bit cleaner. Some commands do not exist anymore and would cause false-positive errors during script execution.

Helps for: #149

Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/178
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: justusbunsi <justusbunsi@noreply.gitea.io>
Co-committed-by: justusbunsi <justusbunsi@noreply.gitea.io>
2021-06-30 04:09:16 +08:00
justusbunsi
6a6eb35106 Fix regression for unspecified DOMAIN and ROOT_URL (#185)
In case a user did not specify DOMAIN in .Values.gitea.config.server,
the chart generated incorrect value for that app.ini setting so that
Gitea crashed on startup.

Same for ROOT_URL.

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/185
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: justusbunsi <justusbunsi@noreply.gitea.io>
Co-committed-by: justusbunsi <justusbunsi@noreply.gitea.io>
2021-06-30 03:24:44 +08:00
justusbunsi
7a3515c2f2 Customizable .gnupg folder location (#186)
The `HOME` path is not persistent when using the rootless image, so the
`.gnupg` folder isn't either. Since the chart always used `/data/...` as
mount point for storage of all kinds, it is a minimal impact to just
relocate the dynamic `$HOME/.gnupg` folder location to the persistent
`/data/git/.gnupg`. This is where the signing keys are stored when
running root based environments. Doing so will

 - allow migrations between both image variants
 - persist signing keys for rootless environments

Fixes: #155

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/186
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: justusbunsi <justusbunsi@noreply.gitea.io>
Co-committed-by: justusbunsi <justusbunsi@noreply.gitea.io>
2021-06-30 03:23:32 +08:00
justusbunsi
2901671d23 Update maintainers (#192)
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/192
Reviewed-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: justusbunsi <justusbunsi@noreply.gitea.io>
Co-committed-by: justusbunsi <justusbunsi@noreply.gitea.io>
2021-06-30 03:22:46 +08:00
mattkaar
0e191bfc7a Support custom Ingress path (#151)
Adds support for a custom Ingress path. This allows us to run Gitea as a path in an existing domain.

Co-authored-by: Matt Kaar <mkaar@cert.org>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/151
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.io>
Co-authored-by: mattkaar <mattkaar@noreply.gitea.io>
Co-committed-by: mattkaar <mattkaar@noreply.gitea.io>
2021-06-25 02:28:45 +08:00
justusbunsi
d6eb50ca35 Fix admin + ldap configuration (#183)
This fixes several flaws introduced by commits for #169 (see c49dc047a4).

 - Respect kebab-case ldap bind inline definition
 - Prevent camelCase ldap bind inline definition from being overridden by empty string
 - Create admin account when `existingSecret` is used

Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/183
Reviewed-by: Andrew Thornton <art27@cantab.net>
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Co-authored-by: justusbunsi <justusbunsi@noreply.gitea.io>
Co-committed-by: justusbunsi <justusbunsi@noreply.gitea.io>
2021-06-21 21:28:18 +08:00
justusbunsi
f0ed41de9e Fix minor README flaws (#184)
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/184
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: justusbunsi <justusbunsi@noreply.gitea.io>
Co-committed-by: justusbunsi <justusbunsi@noreply.gitea.io>
2021-06-20 03:35:21 +08:00
luhahn
f344b4559d Upgrade Gitea dependencies (#141)
- postgresql 9.7.2 to 10.3.17
- mariadb 8.0.0 to 9.3.6
- memcached 4.2.20 to 5.9.0

Tested on my clusters.

Co-authored-by: Lucas Hahn <lucas.hahn@novum-rgi.de>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/141
Reviewed-by: Andrew Thornton <art27@cantab.net>
Reviewed-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: luhahn <luhahn@noreply.gitea.io>
Co-committed-by: luhahn <luhahn@noreply.gitea.io>
2021-06-16 05:09:02 +08:00
luhahn
e3b03cd61a Fix LDAP Ppassword env variable (#182)
Fixes: #179

Co-authored-by: Lucas Hahn <lucas.hahn@novum-rgi.de>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/182
Reviewed-by: Andrew Thornton <art27@cantab.net>
Reviewed-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: luhahn <luhahn@noreply.gitea.io>
Co-committed-by: luhahn <luhahn@noreply.gitea.io>
2021-06-16 05:07:59 +08:00
luhahn
c49dc047a4 Allow existing secrets for passwords (#170)
Allow admin user and password to be configured via existing secrets

Allow LDAP bindDn and bindPassword to be configured via existing secrets

Update Readme

Fixes: #169

Co-authored-by: Lucas Hahn <lucas.hahn@novum-rgi.de>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/170
Reviewed-by: techknowlogick <techknowlogick@gitea.io>
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: luhahn <luhahn@noreply.gitea.io>
Co-committed-by: luhahn <luhahn@noreply.gitea.io>
2021-06-10 19:13:33 +08:00
justusbunsi
6e841e6e26 Fix regression for creating repositories in root-based containers (#172)
Due to #160 it was no longer possible to create repositories in root-based containers. This was caused by the missing `/tmp/gitea` directory in that image. It was dynamically created by Gitea internal functionality with less privileges than necessary.

Explicitly creating the directory and set proper permissions fix this.

Fixes: #171

Co-authored-by: JustusBunsi <sk.bunsenbrenner@gmail.com>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/172
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: 6543 <6543@obermui.de>
Co-authored-by: justusbunsi <justusbunsi@noreply.gitea.io>
Co-committed-by: justusbunsi <justusbunsi@noreply.gitea.io>
2021-06-09 22:35:50 +08:00
luhahn
f0070ef64b Add check on chown in init container (#165)
The chown in the init container will fail in the rootles image.
Checking if the image is rootless or not will prevent this error noise.

Co-authored-by: Lucas Hahn <lucas.hahn@novum-rgi.de>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/165
Reviewed-by: Andrew Thornton <art27@cantab.net>
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: luhahn <luhahn@noreply.gitea.io>
Co-committed-by: luhahn <luhahn@noreply.gitea.io>
2021-06-09 19:42:49 +08:00
techknowlogick
6b8b64f607 use new s3 bucket for artifacts 2021-06-08 02:05:07 +08:00
techknowlogick
6fa80222a6 update to latest v of alpine 2021-06-08 02:02:59 +08:00
techknowlogick
031b58c90e update docs for 1.14.2
Signed-off-by: techknowlogick <techknowlogick@gitea.io>
2021-06-08 01:55:05 +08:00
luhahn
178bc0ab79 Improve http service and update Readme (#167)
This PR adds some options for the http service:

- loadBalancerIP
- nodePort
- externalTrafficPolicy
- externalIPs

Also updated the README and values.yml with the values.

Added storageClass explanation in README and empty value in values.yml

Fixes: #162

Co-authored-by: Lucas Hahn <lucas.hahn@novum-rgi.de>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/167
Reviewed-by: techknowlogick <techknowlogick@gitea.io>
Reviewed-by: 6543 <6543@obermui.de>
Co-authored-by: luhahn <luhahn@noreply.gitea.io>
Co-committed-by: luhahn <luhahn@noreply.gitea.io>
2021-06-08 01:53:01 +08:00
modzilla
441f0748e9 Fixing prometheus monitoring (#157)
At least the latest versions of prometheus watch for a label called "release" and not "prometheus" so with that change prometheus started collecting logs.

If that old label is still needed, we / I could change it to add entries from "additionalLabels", so that we are quite flexible and don't have breaking changes.

Co-authored-by: Justin Lamp <jlamp@vater-gruppe.de>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/157
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: modzilla <modzilla@noreply.gitea.io>
Co-committed-by: modzilla <modzilla@noreply.gitea.io>
2021-06-07 22:28:28 +08:00
justusbunsi
5ab596937a Fix rootless image usage with enhanced security-context (#160)
I've noticed that the commented `securityContext` is not really useable with the rootless image due to different directory structure compared to the default image.

Important for the `readOnlyRootFilesystem` is to declare the `TMPDIR` environment variable, so that the tmp directory (which is readonly in this case) won't be used. Instead, another writeable directory can be used.

Another thing is the explicit hint that all these security options cannot be used with the default (root-based) image, because of its design.

~~Although this PR would fix the referenced issue, I am not totally happy with the current implementation. It would be more straight forward to use the same mount points for both image variants. Unfortunately, this is not possible right now due to hard coded paths in the default (root) image startup scripts.~~

~~Anyone have suggestions on how this could be more simple?~~

-------

**Sum-up:**
As mentioned in Discord, this PR tried to make too many changes. The necessary changes made in 1f331a7e6577fc798196a84a957330aca0d663cd will fix an error that occurs due to restricted access to the `/tmp` directory in a rootless image with all the `securityContext` options enabled.

I also updated the default image to 1.14.2.

Fixes: #158

Co-authored-by: JustusBunsi <sk.bunsenbrenner@gmail.com>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/160
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: 6543 <6543@obermui.de>
Co-authored-by: justusbunsi <justusbunsi@noreply.gitea.io>
Co-committed-by: justusbunsi <justusbunsi@noreply.gitea.io>
2021-06-07 21:27:25 +08:00
mrdima
5b5ea7173a Add value option to define schedulerName (#150)
For those who have a need to configure the schedulerName like us, make this an option just as it is for example in the postgres chart

Co-authored-by: Dimitri Ars <dimitri.ars@kpn.com>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/150
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: mrdima <mrdima@noreply.gitea.io>
Co-committed-by: mrdima <mrdima@noreply.gitea.io>
2021-06-07 16:41:16 +08:00
luhahn
b88bbd6d4d gitea-1.14.x-updates (#148)
This PR includes the changes from:

- https://gitea.com/gitea/helm-chart/pulls/129
- https://gitea.com/gitea/helm-chart/pulls/140

In addition it adds the possibility to include secrets via environment variables as mentioned in #60

Co-authored-by: Hans Kristian Flaatten <hans.flaatten@evry.com>
Co-authored-by: flavio.prado <flavio.prado@noreply.gitea.io>
Co-authored-by: Lucas Hahn <lucas.hahn@novum-rgi.de>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/148
Reviewed-by: techknowlogick <techknowlogick@gitea.io>
Reviewed-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: luhahn <luhahn@noreply.gitea.io>
Co-committed-by: luhahn <luhahn@noreply.gitea.io>
2021-04-29 17:12:48 +08:00
luhahn
2b01e6ece6 Fix permissions on external mounts (#144)
Co-authored-by: luhahn <lucas.hahn@novum-rgi.de>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/144
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Reviewed-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: luhahn <luhahn@noreply.gitea.io>
Co-committed-by: luhahn <luhahn@noreply.gitea.io>
2021-04-19 20:30:02 +08:00
techknowlogick
c742b5dbc3 1.13.7 (#139)
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/139
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-committed-by: techknowlogick <techknowlogick@gitea.io>
2021-04-12 15:58:17 +08:00
luhahn
ec8a26ecfc Update Gitea version to 1.13.5 (#134)
Co-authored-by: luhahn <lucas.hahn@novum-rgi.de>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/134
Reviewed-by: Andrew Thornton <art27@cantab.net>
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: luhahn <luhahn@noreply.gitea.io>
Co-committed-by: luhahn <luhahn@noreply.gitea.io>
2021-03-22 21:01:33 +08:00
kaipmdh
8d8dd0d84e Update README.md for typo fixes and grammar (#131)
Minor changes to grammar, minor typo fixes.

Signed-off-by: kaipmdh <kaipmdh@noreply.gitea.io>

Co-authored-by: lafriks <lafriks@noreply.gitea.io>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/131
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: lafriks <lafriks@noreply.gitea.io>
Co-authored-by: kaipmdh <kaipmdh@noreply.gitea.io>
Co-committed-by: kaipmdh <kaipmdh@noreply.gitea.io>
2021-03-17 08:09:44 +08:00
Nakrez
0f1e991889 Add possibiliy to define statefulset labels (#130)
This change adds a new value *statefulset.labels* to allow the user to add custom labels to the StatefulSet.

An example of where this could be useful is if gitea's pvc is stored on OpenEBS. With this new option, the user can add the extra *openebs.io/sts-target-affinity* label to specify that the volume target pod should run on the same node as gitea's StatefulSet.

Co-authored-by: Baptiste Covolato <b.covolato@gmail.com>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/130
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: lafriks <lafriks@noreply.gitea.io>
Co-authored-by: Nakrez <nakrez@noreply.gitea.io>
Co-committed-by: Nakrez <nakrez@noreply.gitea.io>
2021-03-17 08:07:42 +08:00
Nakrez
1eb0eee3bc Make the chart work with a sqlite3 database (#124)
There are currently 2 issues that prevent using this chart to deploy gitea with a SQLite3 database.

1) The value from *gitea.config.database.HOST* is used to set *db.servicename* when  all the databases under *gitea.database.buildIn* are not enabled. This causes a type error during the template processing:
`Error: UPGRADE FAILED: template: gitea/templates/gitea/init.yaml:24:20: executing "gitea/templates/gitea/init.yaml" at <include "db.servicename" .>: error calling include: template: gitea/templates/_helpers.tpl:64:31: executing "db.servicename" at <.Values.gitea.config.database.HOST>: wrong type for value; expected string; got interface {}`

2) In *init_gitea.sh*, we use the value *db.servicename* and *db.port* to ping the database. If this database responds to ping, we proceed with the init. The problem here is that *db.port* is not set when all the databases under *gitea.database.buildIn* are disabled. In turn, this raises an error from busybox's *nc*, because no parameter is passed for *PORT*. This causes the init container to go in *CrashLoopBackOff* forever.

The simple fix that is proposed in this PR is to check wether or not *.Values.gitea.config.database.DB_TYPE* is set to determine the value *db.servicename*. If *DB_TYPE* is *'sqlite3'*, leave *db.servicename* empty and use that to bypass the database ping.

Co-authored-by: Baptiste Covolato <b.covolato@gmail.com>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/124
Reviewed-by: Andrew Thornton <art27@cantab.net>
Reviewed-by: lafriks <lafriks@noreply.gitea.io>
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Co-authored-by: Nakrez <nakrez@noreply.gitea.io>
Co-committed-by: Nakrez <nakrez@noreply.gitea.io>
2021-03-04 16:43:52 +08:00
luhahn
9106d68cdc Fix ServiceMonitor selector labels (#125)
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/125
Reviewed-by: Andrew Thornton <art27@cantab.net>
Reviewed-by: lafriks <lafriks@noreply.gitea.io>
Co-authored-by: luhahn <luhahn@noreply.gitea.io>
Co-committed-by: luhahn <luhahn@noreply.gitea.io>
2021-03-02 17:10:38 +08:00
Michael Kriese
551f4e312e Allow override kubernetes probes (#117)
- Allow overriding liveness and readiness probe
- Add optional startup probe

closes #118

Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/117
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: lafriks <lafriks@noreply.gitea.io>
Co-authored-by: Michael Kriese <michael.kriese@visualon.de>
Co-committed-by: Michael Kriese <michael.kriese@visualon.de>
2021-03-01 22:46:05 +08:00
Dunky13
d1c58a2e77 OAuth2 configuration options (#123)
I opened up the OAuth2 authentication option. I needed this feature, and it is available in the gitea cli. So I opened it up for configuration through this pull request.

Hope it can help others.

Co-authored-by: Marc Went <marc.went+git@redkubes.com>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/123
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: lafriks <lafriks@noreply.gitea.io>
Co-authored-by: Dunky13 <dunky13@noreply.gitea.io>
Co-committed-by: Dunky13 <dunky13@noreply.gitea.io>
2021-03-01 20:24:11 +08:00
Starefossen
9213f0d1f5 Add app and version labels (#121)
This pull request adds the `app` and `version` labels that are used by Istio.

> Pods with app and version labels: We recommend adding an explicit app label and version label to the specification of the pods deployed using a Kubernetes Deployment. The app and version labels add contextual information to the metrics and telemetry that Istio collects.
>
> * The app label: Each deployment should have a distinct app label with a meaningful value. The app label is used to add contextual information in distributed tracing.
>
> * The version label: This label indicates the version of the application corresponding to the particular deployment.

From https://istio.io/latest/docs/ops/deployment/requirements/#pod-requirements

Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/121
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: lafriks <lafriks@noreply.gitea.io>
Co-authored-by: Starefossen <starefossen@noreply.gitea.io>
Co-committed-by: Starefossen <starefossen@noreply.gitea.io>
2021-03-01 20:20:55 +08:00
Starefossen
7ed82c7a63 Add ServiceMonitor Prometheus selector label (#116)
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/116
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: lafriks <lafriks@noreply.gitea.io>
Co-authored-by: Starefossen <starefossen@noreply.gitea.io>
Co-committed-by: Starefossen <starefossen@noreply.gitea.io>
2021-03-01 20:18:09 +08:00
martencassel
33903d8f6c Add support to run gitea with an optional securityContext (#115)
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/115
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: lafriks <lafriks@noreply.gitea.io>
Co-authored-by: martencassel <martencassel@noreply.gitea.io>
Co-committed-by: martencassel <martencassel@noreply.gitea.io>
2021-03-01 20:16:49 +08:00
viceice
4682597b04 fix: quote admin password (#111)
closes #110

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/111
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: viceice <viceice@noreply.gitea.io>
Co-committed-by: viceice <viceice@noreply.gitea.io>
2021-02-17 17:45:18 +08:00