Use Secrets for passwords and tokens

Signed-off-by: Thomas Matysik <thomas@matysik.co.nz>

templates/_helpers.tpl

@@ -29,3 +29,35 @@ Return the appropriate apiVersion for ingress.
 {{- print "networking.k8s.io/v1beta1" -}}    
 {{- end -}}    
 {{- end -}}  
+
+{{- define "gitea-secret-name" -}}
+{{- if .Values.config.secretName -}}
+    {{ .Values.config.secretName }}
+{{- else -}}
+    {{ template "fullname" . }}
+{{- end -}}
+{{- end -}}
+
+{{- define "db-secret-name" -}}
+{{- if .Values.mariadb.enabled -}}
+    {{- if .Values.mariadb.existingSecret -}}
+        {{ .Values.mariadb.existingSecret }}
+    {{- else -}}
+        {{ template "mariadb.fullname" . }}
+    {{- end -}}
+{{- else -}}
+    {{- if .Values.externalDB.secretName -}}
+        {{ .Values.externalDB.secretName }}
+    {{- else -}}
+        {{ printf "%s-externalDB" (include "fullname" .) }}
+    {{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "db-secret-key" -}}
+{{- if .Values.mariadb.enabled -}}
+    {{- print "mariadb-password" -}}
+{{- else -}}
+    {{ .Values.externalDB.passwordKey }}
+{{- end -}}
+{{- end -}}

templates/deployment.yaml

@@ -38,6 +38,15 @@ spec:
       - name: gitea-config
         configMap:
           name: {{ template "fullname" . }}
+      - name: database-secret
+        secret:
+          secretName: {{ template "db-secret-name" . }}
+          items:
+            - key: {{ template "db-secret-key" . }}
+              path: db-password
+      - name: gitea-secret
+        secret:
+          secretName: {{ template "gitea-secret-name" . }}
 
       {{- if .Values.imagePullSecrets }}
       imagePullSecrets:

templates/gitea/_container.tpl

@@ -5,17 +5,6 @@ Create helm partial for gitea server
 - name: gitea
   image: {{ .Values.images.gitea }}
   imagePullPolicy: {{ .Values.images.pullPolicy }}
-  env:
-  - name: DATABASE_PASSWORD
-    valueFrom:
-      secretKeyRef:
-      {{- if .Values.mariadb.enabled }}
-        name: {{ template "mariadb.fullname" . }}
-        key: mariadb-password
-      {{- else }}
-        name: {{ printf "%s-%s" .Release.Name "externaldb" }}
-        key: db-password
-      {{- end }}
   ports:
   - name: ssh
     containerPort: 22

templates/gitea/gitea-config.yaml

@@ -248,7 +248,7 @@ data:
     ; Where your lfs files reside, default is data/lfs.
     LFS_CONTENT_PATH = data/lfs
     ; LFS authentication secret, change this yourself
-    LFS_JWT_SECRET =
+    LFS_JWT_SECRET = HELM_LFS_JWT_SECRET
     ; LFS authentication validity period (in time.Duration), pushes taking longer than this may fail.
     LFS_HTTP_AUTH_EXPIRY = 20m
 
@@ -267,20 +267,15 @@ data:
     HOST = {{ .Values.externalDB.dbHost }}:{{ .Values.externalDB.dbPort }}
     NAME = {{ .Values.externalDB.dbDatabase }}
     USER = {{ .Values.externalDB.dbUser }}
-    PASSWD = {{ .Values.externalDB.dbPassword }}
     {{ else if .Values.mariadb.enabled }}
     ; Either "mysql", "postgres", "mssql" or "sqlite3", it's your choice
     DB_TYPE = mysql
     HOST = {{ template "mariadb.fullname" . }}:3306
     NAME = {{ .Values.mariadb.db.name }}
     USER = {{ .Values.mariadb.db.user }}
+    {{ end }}
     ; Use PASSWD = `your password` for quoting if you use special characters in the password.
-    {{ if .Values.mariadb.password }}
-    PASSWD = {{ .Values.mariadb.db.password }}
-    {{ else }}
-    PASSWD = MARIADB_PASSWORD
-    {{ end }}
-    {{ end }}
+    PASSWD = HELM_DB_PASSWORD
     ; For "postgres" only, either "disable", "require" or "verify-full"
     SSL_MODE = disable
     ; For "sqlite3" and "tidb", use an absolute path when you start gitea as service
@@ -308,11 +303,8 @@ data:
     ; Whether the installer is disabled
     INSTALL_LOCK = {{ .Values.config.disableInstaller }}
     ; !!CHANGE THIS TO KEEP YOUR USER DATA SAFE!!
-    {{ if .Values.config.secretKey }}
-    SECRET_KEY = {{ .Values.config.secretKey }}
-    {{ else }}
-    SECRET_KEY = {{ randAlphaNum 64 | quote }}
-    {{ end }}
+    SECRET_KEY = HELM_SECRET_KEY
+    INTERNAL_TOKEN_URI = file:/data/gitea/conf/internal-token
 
 
     ; How long to remember that an user is logged in before requiring relogin (in days)
@@ -662,6 +654,20 @@ data:
     ; Max number of items in a page
     MAX_RESPONSE_ITEMS = 50
 
+    [oauth2]
+    ; Enables OAuth2 provider
+    ENABLE = true
+    ; Lifetime of an OAuth2 access token in seconds
+    ACCESS_TOKEN_EXPIRATION_TIME=3600
+    ; Lifetime of an OAuth2 access token in hours
+    REFRESH_TOKEN_EXPIRATION_TIME=730
+    ; Check if refresh token got already used
+    INVALIDATE_REFRESH_TOKENS=false
+    ; OAuth2 authentication secret for access and refresh tokens, change this to a unique string.
+    JWT_SECRET=HELM_JWT_SECRET
+    ; Maximum length of oauth2 token/cookie stored on server
+    MAX_TOKEN_LENGTH=32767
+
     [i18n]
     LANGS = en-US,zh-CN,zh-HK,zh-TW,de-DE,fr-FR,nl-NL,lv-LV,ru-RU,uk-UA,ja-JP,es-ES,pt-BR,pl-PL,bg-BG,it-IT,fi-FI,tr-TR,cs-CZ,sr-SP,sv-SE,ko-KR
     NAMES = English,简体中文,繁體中文（香港）,繁體中文（台灣）,Deutsch,français,Nederlands,latviešu,русский,Українська,日本語,español,português do Brasil,polski,български,italiano,suomi,Türkçe,čeština,српски,svenska,한국어

templates/init/_container.tpl

@@ -6,26 +6,43 @@ Create helm partial for gitea server
   image: {{ .Values.images.gitea }}
   imagePullPolicy: {{ .Values.images.pullPolicy }}
   env:
-  - name: MARIADB_PASSWORD
-    valueFrom:
-      secretKeyRef:
-      {{- if .Values.mariadb.enabled }}
-        name: {{ template "mariadb.fullname" . }}
-        key: mariadb-password
-      {{- else }}
-        name: {{ printf "%s-%s" .Release.Name "externaldb" }}
-        key: db-password
-      {{- end }}
   - name: SCRIPT
     value: &script |-
       mkdir -p /datatmp/gitea/conf
-      if [ ! -f /datatmp/gitea/conf/app.ini ]; then
-        sed "s/MARIADB_PASSWORD/${MARIADB_PASSWORD}/g" < /etc/gitea/app.ini > /datatmp/gitea/conf/app.ini
+
+      if [ -f /etc/gitea-secret/internal-token ]; then
+        cp /etc/gitea-secret/internal-token /datatmp/gitea/conf/internal-token
       fi
+      if [ ! -f /datatmp/gitea/conf/internal-token ]; then
+        gitea generate secret INTERNAL_TOKEN >/datatmp/gitea/conf/internal-token
+      fi
+
+      {{- if not .Values.config.immutableConfig }}
+      if [ -f /datatmp/gitea/conf/app.ini ]; then
+        chmod u+w /datatmp/gitea/conf/app.ini
+        exit
+      fi
+      {{- end }}
+
+      sed "s/HELM_DB_PASSWORD/$(cat /etc/database-secret/db-password)/g" < /etc/gitea/app.ini > /datatmp/gitea/conf/app.ini
+      sed -i "s/HELM_SECRET_KEY/$([ -f /etc/gitea-secret/secret-key ] && cat /etc/gitea-secret/secret-key || gitea generate secret SECRET_KEY)/g" /datatmp/gitea/conf/app.ini
+      sed -i "s/HELM_JWT_SECRET/$([ -f /etc/gitea-secret/jwt-secret ] && cat /etc/gitea-secret/jwt-secret || gitea generate secret JWT_SECRET)/g" /datatmp/gitea/conf/app.ini
+      sed -i "s/HELM_LFS_JWT_SECRET/$([ -f /etc/gitea-secret/lfs-jwt-secret ] && cat /etc/gitea-secret/lfs-jwt-secret || gitea generate secret LFS_JWT_SECRET)/g" /datatmp/gitea/conf/app.ini
+
+      {{- if .Values.config.immutableConfig }}
+      chmod a-w /datatmp/gitea/conf/app.ini
+      {{- end }}
   command: ["/bin/sh",'-c', *script]
   volumeMounts:
   - name: gitea-data
     mountPath: /datatmp
   - name: gitea-config
     mountPath: /etc/gitea
+    readOnly: true
+  - name: database-secret
+    mountPath: /etc/database-secret
+    readOnly: true
+  - name: gitea-secret
+    mountPath: /etc/gitea-secret
+    readOnly: true
 {{- end }}

templates/secrets/externaldb-secret.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.externalDB -}} 
+{{- if (not .Values.externalDB.secretName) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "db-secret-name" . }}
+  labels:
+    app: {{ template "fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: {{ .Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+type: Opaque
+data:
+  {{ .Values.externalDB.passwordKey }}: {{ .Values.externalDB.dbPassword | b64enc }}
+{{- end -}}
+{{- end }}

templates/secrets/gitea-secret.yaml

@@ -0,0 +1,25 @@
+{{- if (not .Values.config.secretName) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "gitea-secret-name" . }}
+  labels:
+    app: {{ template "fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: {{ .Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+type: Opaque
+data:
+  {{ if .Values.config.secretKey }}
+  secret-key: {{ .Values.config.secretKey | b64enc }}
+  {{ end }}
+  {{ if .Values.config.jwtSecret }}
+  jwt-secret: {{ .Values.config.jwtSecret | b64enc }}
+  {{ end }}
+  {{ if .Values.config.lfsJwtSecret }}
+  lfs-jwt-secret: {{ .Values.config.lfsJwtSecret | b64enc }}
+  {{ end }}
+  {{ if .Values.config.internalToken }}
+  internal-token: {{ .Values.config.internalToken | b64enc }}
+  {{ end }}
+{{- end }}