You've already forked helm-gitea
docs(README): add workaround for rotating TLS certificates (#907)
The following patch extends the README of an additional chapter, how to handle rotating TLS certificates mounted as secret into the container filesystem. Reviewed-on: https://gitea.com/gitea/helm-gitea/pulls/907 Reviewed-by: pat-s <pat-s@noreply.gitea.com> Co-authored-by: Markus Pesch <markus.pesch@cryptic.systems> Co-committed-by: Markus Pesch <markus.pesch@cryptic.systems>
This commit is contained in:
26
README.md
26
README.md
@ -33,6 +33,7 @@
|
|||||||
- [Metrics and profiling](#metrics-and-profiling)
|
- [Metrics and profiling](#metrics-and-profiling)
|
||||||
- [Secure Metrics Endpoint](#secure-metrics-endpoint)
|
- [Secure Metrics Endpoint](#secure-metrics-endpoint)
|
||||||
- [Pod annotations](#pod-annotations)
|
- [Pod annotations](#pod-annotations)
|
||||||
|
- [TLS certificate rotation](#tls-certificate-rotation)
|
||||||
- [Themes](#themes)
|
- [Themes](#themes)
|
||||||
- [Renovate](#renovate)
|
- [Renovate](#renovate)
|
||||||
- [Parameters](#parameters)
|
- [Parameters](#parameters)
|
||||||
@ -816,6 +817,31 @@ gitea:
|
|||||||
podAnnotations: {}
|
podAnnotations: {}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## TLS certificate rotation
|
||||||
|
|
||||||
|
If Gitea uses TLS certificates that are mounted as a secret in the container file system, Gitea will not automatically apply them when the TLS certificates are rotated.
|
||||||
|
Such a rotation can be for example triggered, when the cert-manager issues new TLS certificates before expiring. Further information is described as GitHub
|
||||||
|
[issue](https://github.com/go-gitea/gitea/issues/27962).
|
||||||
|
|
||||||
|
Until the issue is present, a workaround can be applied.
|
||||||
|
For example stakater's [reloader](https://github.com/stakater/Reloader) controller can be used to trigger a rolling update.
|
||||||
|
The following annotation must be added to instruct the reloader controller to trigger a rolling update, when the mounted `configMaps` and `secrets` have been changed.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
deployment:
|
||||||
|
annotations:
|
||||||
|
reloader.stakater.com/auto: "true"
|
||||||
|
```
|
||||||
|
|
||||||
|
Instead of triggering a rolling update for configMap and secret resources, this action can also be defined for individual items.
|
||||||
|
For example, when the secret named `gitea-tls` is mounted and the reloader controller should only listen for changes of this secret:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
deployment:
|
||||||
|
annotations:
|
||||||
|
secret.reloader.stakater.com/reload: "gitea-tls"
|
||||||
|
```
|
||||||
|
|
||||||
## Themes
|
## Themes
|
||||||
|
|
||||||
Custom themes can be added via k8s secrets and referencing them in `values.yaml`.
|
Custom themes can be added via k8s secrets and referencing them in `values.yaml`.
|
||||||
|
Reference in New Issue
Block a user