From a02a7feb6e8283d464cefbc82b0f506005ac113b Mon Sep 17 00:00:00 2001 From: techknowlogick Date: Tue, 14 Apr 2026 06:19:15 +0000 Subject: [PATCH] feat: enhance openshift support (#1063) ### Description of the change Add options to values.yaml to make chart easier to install in restricted openshift environments ### Benefits more people can run this ### Checklist - [x] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm) - [ ] Breaking changes are documented in the `README.md` - [x] Helm templating unittests are added (required when changing anything in `templates` folder) - [ ] Bash unittests are added (required when changing anything in `scripts` folder) - [x] All added template resources MUST render a namespace in metadata --------- Co-authored-by: Lunny Xiao Reviewed-on: https://gitea.com/gitea/helm-gitea/pulls/1063 Reviewed-by: Lunny Xiao Co-authored-by: techknowlogick Co-committed-by: techknowlogick --- README.md | 61 ++++++++++- templates/NOTES.txt | 9 +- templates/_helpers.tpl | 103 +++++++++++++++++- templates/gitea/deployment.yaml | 47 ++++---- templates/gitea/route.yaml | 52 +++++++++ templates/tests/test-http-connection.yaml | 9 ++ .../helm/config/server-section_domain.yaml | 38 +++++++ unittests/helm/deployment/openshift.yaml | 96 ++++++++++++++++ unittests/helm/route/basic.yaml | 58 ++++++++++ .../helm/tests/test-http-connection.yaml | 24 ++++ values.yaml | 37 ++++++- 11 files changed, 497 insertions(+), 37 deletions(-) create mode 100644 templates/gitea/route.yaml create mode 100644 unittests/helm/deployment/openshift.yaml create mode 100644 unittests/helm/route/basic.yaml create mode 100644 unittests/helm/tests/test-http-connection.yaml diff --git a/README.md b/README.md index 6588ef3..5dfaf5f 100644 --- a/README.md +++ b/README.md @@ -280,6 +280,37 @@ If `.Values.image.rootless: true`, then the following will occur. In case you us [see deployment.yaml](./templates/gitea/deployment.yaml) template inside container "env" declarations +#### OpenShift Compatibility + +When installing on OpenShift, enable the compatibility profile so chart-managed pods render SCC-safe defaults and the Gitea init containers stop forcing `runAsUser: 1000`: + +```yaml +openshift: + enabled: true +``` + +When enabled, the chart applies `allowPrivilegeEscalation: false`, drops all +Linux capabilities, sets `runAsNonRoot: true`, uses +`seccompProfile.type: RuntimeDefault`, and sets `hostUsers: false` unless +`openshift.hostUsers` is overridden. + +The deployment keeps the existing vanilla Kubernetes behavior when OpenShift +compatibility is disabled. Auto-detection relies on the +`security.openshift.io/v1/SecurityContextConstraints` API, so set +`openshift.enabled: true` explicitly when rendering outside a live cluster. + +If you also want to expose Gitea through an OpenShift Route, enable the optional Route resource: + +```yaml +route: + enabled: true + host: git.apps.example.com + tls: + termination: edge +``` + +When `route.host` is set, the chart uses it for `DOMAIN`, `SSH_DOMAIN`, and `ROOT_URL`. Setting `route.tls.termination` also switches the default `ROOT_URL` scheme to `https`. + #### Session, Cache and Queue The session, cache and queue settings are set to use the built-in Valkey Cluster sub-chart dependency. @@ -975,12 +1006,14 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo ### Security -| Name | Description | Value | -| ---------------------------- | --------------------------------------------------------------- | ------ | -| `podSecurityContext.fsGroup` | Set the shared file system group for all containers in the pod. | `1000` | -| `containerSecurityContext` | Security context | `{}` | -| `securityContext` | Run init and Gitea containers as a specific securityContext | `{}` | -| `podDisruptionBudget` | Pod disruption budget | `{}` | +| Name | Description | Value | +| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | ----- | +| `openshift.enabled` | Enable OpenShift compatibility defaults for chart-managed pods. Defaults to auto-detect based on the SecurityContextConstraints API. | `nil` | +| `openshift.hostUsers` | Override the PodSpec hostUsers field for chart-managed pods. Defaults to `false` when OpenShift compatibility is enabled. | `nil` | +| `podSecurityContext` | Pod security context. On non-OpenShift clusters the chart defaults `fsGroup` to `1000` when this map is empty. | `{}` | +| `containerSecurityContext` | Security context | `{}` | +| `securityContext` | Run init and Gitea containers as a specific securityContext | `{}` | +| `podDisruptionBudget` | Pod disruption budget | `{}` | ### Service @@ -1026,6 +1059,22 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo | `ingress.hosts[0].paths[0].path` | Default Ingress path | `/` | | `ingress.tls` | Ingress tls settings | `[]` | +### Route + +| Name | Description | Value | +| ----------------------------------------- | -------------------------------------------------------------------------------------------------------------- | ------- | +| `route.enabled` | Enable OpenShift Route | `false` | +| `route.annotations` | Route annotations | `{}` | +| `route.host` | Route host. When unset, OpenShift may generate one and Gitea URL defaults fall back to ingress/service values. | `""` | +| `route.path` | Route path | `""` | +| `route.wildcardPolicy` | Route wildcard policy | `None` | +| `route.tls.termination` | Route TLS termination type | `nil` | +| `route.tls.insecureEdgeTerminationPolicy` | Route insecure edge termination policy | `nil` | +| `route.tls.key` | Route TLS key | `nil` | +| `route.tls.certificate` | Route TLS certificate | `nil` | +| `route.tls.caCertificate` | Route TLS CA certificate | `nil` | +| `route.tls.destinationCACertificate` | Route destination CA certificate | `nil` | + ### deployment | Name | Description | Value | diff --git a/templates/NOTES.txt b/templates/NOTES.txt index ad5a8fa..87080e4 100644 --- a/templates/NOTES.txt +++ b/templates/NOTES.txt @@ -1,5 +1,12 @@ 1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} +{{- if .Values.route.enabled }} + {{- if .Values.route.host }} + {{ include "gitea.public_protocol" . }}://{{ tpl .Values.route.host . }}{{ .Values.route.path }} + {{- else }} + export ROUTE_HOST=$(kubectl get route --namespace {{ .Release.Namespace }} {{ include "gitea.fullname" . }} -o jsonpath="{.spec.host}") + echo {{ include "gitea.public_protocol" . }}://$ROUTE_HOST{{ .Values.route.path }} + {{- end }} +{{- else if .Values.ingress.enabled }} {{- range $host := .Values.ingress.hosts }} {{- range .paths }} http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index f993b95..e4a1156 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -76,6 +76,89 @@ imagePullSecrets: {{- end }} {{- end -}} +{{/* +Return true when OpenShift compatibility defaults should be rendered. +If openshift.enabled is unset, auto-detect via the SCC API. +*/}} +{{- define "gitea.openshift.enabled" -}} +{{- if kindIs "bool" .Values.openshift.enabled -}} +{{ ternary "true" "false" .Values.openshift.enabled }} +{{- else if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" -}} +true +{{- else -}} +false +{{- end -}} +{{- end -}} + +{{/* +Return the pod's hostUsers setting when OpenShift compatibility is enabled. +*/}} +{{- define "gitea.hostUsers" -}} +{{- if eq (include "gitea.openshift.enabled" . | trim) "true" -}} +{{- if kindIs "bool" .Values.openshift.hostUsers -}} +{{ ternary "true" "false" .Values.openshift.hostUsers }} +{{- else -}} +false +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Render pod securityContext. On non-OpenShift clusters an empty map defaults fsGroup to 1000. +*/}} +{{- define "gitea.podSecurityContext" -}} +{{- $podSecurityContext := deepCopy .Values.podSecurityContext -}} +{{- if and (ne (include "gitea.openshift.enabled" . | trim) "true") (not (hasKey $podSecurityContext "fsGroup")) -}} +{{- $_ := set $podSecurityContext "fsGroup" 1000 -}} +{{- end -}} +{{- if gt (len $podSecurityContext) 0 -}} +{{ toYaml $podSecurityContext }} +{{- end -}} +{{- end -}} + +{{/* +Render container securityContext with OpenShift restricted SCC defaults when enabled. +*/}} +{{- define "gitea.containerSecurityContext" -}} +{{- $root := index . 0 -}} +{{- $containerSecurityContext := deepCopy (index . 1) -}} +{{- if eq (include "gitea.openshift.enabled" $root | trim) "true" -}} +{{- $containerSecurityContext = mergeOverwrite (dict + "allowPrivilegeEscalation" false + "capabilities" (dict "drop" (list "ALL")) + "runAsNonRoot" true + "seccompProfile" (dict "type" "RuntimeDefault") +) $containerSecurityContext -}} +{{- end -}} +{{- if gt (len $containerSecurityContext) 0 -}} +{{ toYaml $containerSecurityContext }} +{{- end -}} +{{- end -}} + +{{/* +Render the securityContext for init containers that execute Gitea/GPG commands. +These default to runAsUser 1000 outside OpenShift to preserve existing behavior. +*/}} +{{- define "gitea.commandInitContainerSecurityContext" -}} +{{- $root := index . 0 -}} +{{- $containerSecurityContext := deepCopy (index . 1) -}} +{{- if and (ne (include "gitea.openshift.enabled" $root | trim) "true") (not (hasKey $containerSecurityContext "runAsUser")) -}} +{{- $_ := set $containerSecurityContext "runAsUser" 1000 -}} +{{- end -}} +{{- include "gitea.containerSecurityContext" (list $root $containerSecurityContext) -}} +{{- end -}} + +{{/* +Render the runtime container securityContext while honoring the deprecated securityContext value. +*/}} +{{- define "gitea.runtimeContainerSecurityContext" -}} +{{- $containerSecurityContext := deepCopy .Values.containerSecurityContext -}} +{{- if and (eq (len $containerSecurityContext) 0) .Values.securityContext -}} +{{- $containerSecurityContext = deepCopy .Values.securityContext -}} +{{- end -}} +{{- include "gitea.containerSecurityContext" (list . $containerSecurityContext) -}} +{{- end -}} + {{/* Storage Class @@ -163,6 +246,16 @@ app.kubernetes.io/instance: {{ .Release.Name }} {{- printf "%s-http.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain -}} {{- end -}} +{{- define "gitea.public_hostname" -}} +{{- if and .Values.route.enabled .Values.route.host -}} +{{ tpl .Values.route.host . }} +{{- else if gt (len .Values.ingress.hosts) 0 -}} +{{ tpl (index .Values.ingress.hosts 0).host $ }} +{{- else -}} +{{ include "gitea.default_domain" . }} +{{- end -}} +{{- end -}} + {{- define "gitea.ldap_settings" -}} {{- $idx := index . 0 }} {{- $values := index . 1 }} @@ -213,7 +306,9 @@ app.kubernetes.io/instance: {{ .Release.Name }} {{- end -}} {{- define "gitea.public_protocol" -}} -{{- if and .Values.ingress.enabled (gt (len .Values.ingress.tls) 0) -}} +{{- if and .Values.route.enabled .Values.route.tls.termination -}} +https +{{- else if and .Values.ingress.enabled (gt (len .Values.ingress.tls) 0) -}} https {{- else -}} {{ .Values.gitea.config.server.PROTOCOL }} @@ -346,11 +441,7 @@ https {{- $_ := set .Values.gitea.config.server "PROTOCOL" "http" -}} {{- end -}} {{- if not (.Values.gitea.config.server.DOMAIN) -}} - {{- if gt (len .Values.ingress.hosts) 0 -}} - {{- $_ := set .Values.gitea.config.server "DOMAIN" ( tpl (index .Values.ingress.hosts 0).host $) -}} - {{- else -}} - {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}} - {{- end -}} + {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.public_hostname" .) -}} {{- end -}} {{- if not .Values.gitea.config.server.ROOT_URL -}} {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "gitea.public_protocol" .) .Values.gitea.config.server.DOMAIN) -}} diff --git a/templates/gitea/deployment.yaml b/templates/gitea/deployment.yaml index 8372313..14e82ac 100644 --- a/templates/gitea/deployment.yaml +++ b/templates/gitea/deployment.yaml @@ -43,6 +43,11 @@ spec: {{- toYaml .Values.deployment.labels | nindent 8 }} {{- end }} spec: + {{- $hostUsers := include "gitea.hostUsers" . | trim }} + {{- $podSecurityContext := include "gitea.podSecurityContext" . | trim }} + {{- $containerSecurityContext := include "gitea.containerSecurityContext" (list . (deepCopy .Values.containerSecurityContext)) | trim }} + {{- $commandInitContainerSecurityContext := include "gitea.commandInitContainerSecurityContext" (list . (deepCopy .Values.containerSecurityContext)) | trim }} + {{- $runtimeContainerSecurityContext := include "gitea.runtimeContainerSecurityContext" . | trim }} {{- if .Values.schedulerName }} schedulerName: "{{ .Values.schedulerName }}" {{- end }} @@ -52,9 +57,14 @@ spec: {{- if .Values.priorityClassName }} priorityClassName: "{{ .Values.priorityClassName }}" {{- end }} + {{- if $hostUsers }} + hostUsers: {{ $hostUsers }} + {{- end }} {{- include "gitea.images.pullSecrets" . | nindent 6 }} + {{- if $podSecurityContext }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- $podSecurityContext | nindent 8 }} + {{- end }} initContainers: {{- if .Values.preExtraInitContainers }} {{- toYaml .Values.preExtraInitContainers | nindent 8 }} @@ -91,8 +101,10 @@ spec: subPath: {{ .Values.persistence.subPath }} {{- end }} {{- include "gitea.init-additional-mounts" . | nindent 12 }} + {{- if $containerSecurityContext }} securityContext: - {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- $containerSecurityContext | nindent 12 }} + {{- end }} resources: {{- toYaml .Values.initContainers.resources | nindent 12 }} - name: init-app-ini @@ -144,8 +156,10 @@ spec: mountPath: "/env-to-ini-mounts/additionals/{{ $idx }}/" {{- end }} {{- include "gitea.init-additional-mounts" . | nindent 12 }} + {{- if $containerSecurityContext }} securityContext: - {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- $containerSecurityContext | nindent 12 }} + {{- end }} resources: {{- toYaml .Values.initContainers.resources | nindent 12 }} {{- if .Values.signing.enabled }} @@ -162,13 +176,10 @@ spec: - "{{ .Values.initContainersScriptsVolumeMountPath }}/configure_gpg_environment.sh" {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if $commandInitContainerSecurityContext }} securityContext: - {{- /* By default this container runs as user 1000 unless otherwise stated */ -}} - {{- $csc := deepCopy .Values.containerSecurityContext -}} - {{- if not (hasKey $csc "runAsUser") -}} - {{- $_ := set $csc "runAsUser" 1000 -}} - {{- end -}} - {{- toYaml $csc | nindent 12 }} + {{- $commandInitContainerSecurityContext | nindent 12 }} + {{- end }} env: - name: GNUPGHOME value: {{ .Values.signing.gpgHome }} @@ -204,13 +215,10 @@ spec: - "{{ .Values.initContainersScriptsVolumeMountPath }}/configure_gitea.sh" {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if $commandInitContainerSecurityContext }} securityContext: - {{- /* By default this container runs as user 1000 unless otherwise stated */ -}} - {{- $csc := deepCopy .Values.containerSecurityContext -}} - {{- if not (hasKey $csc "runAsUser") -}} - {{- $_ := set $csc "runAsUser" 1000 -}} - {{- end -}} - {{- toYaml $csc | nindent 12 }} + {{- $commandInitContainerSecurityContext | nindent 12 }} + {{- end }} env: - name: GITEA_APP_INI value: /data/gitea/conf/app.ini @@ -368,13 +376,10 @@ spec: {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} + {{- if $runtimeContainerSecurityContext }} securityContext: - {{- /* Honor the deprecated securityContext variable when defined */ -}} - {{- if .Values.containerSecurityContext -}} - {{ toYaml .Values.containerSecurityContext | nindent 12 -}} - {{- else -}} - {{ toYaml .Values.securityContext | nindent 12 -}} - {{- end }} + {{- $runtimeContainerSecurityContext | nindent 12 }} + {{- end }} volumeMounts: - name: temp mountPath: /tmp diff --git a/templates/gitea/route.yaml b/templates/gitea/route.yaml new file mode 100644 index 0000000..7d44ef6 --- /dev/null +++ b/templates/gitea/route.yaml @@ -0,0 +1,52 @@ +{{- if .Values.route.enabled -}} +{{- $fullName := include "gitea.fullname" . -}} +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: {{ $fullName }} + namespace: {{ .Values.namespace | default .Release.Namespace }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + {{- with .Values.route.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.route.host }} + host: {{ tpl .Values.route.host . | quote }} + {{- end }} + {{- if .Values.route.path }} + path: {{ tpl .Values.route.path . | quote }} + {{- end }} + to: + kind: Service + name: {{ $fullName }}-http + port: + targetPort: http + wildcardPolicy: {{ .Values.route.wildcardPolicy }} + {{- with .Values.route.tls }} + {{- if .termination }} + tls: + termination: {{ .termination }} + {{- if .insecureEdgeTerminationPolicy }} + insecureEdgeTerminationPolicy: {{ .insecureEdgeTerminationPolicy }} + {{- end }} + {{- if .key }} + key: | + {{- .key | nindent 6 }} + {{- end }} + {{- if .certificate }} + certificate: | + {{- .certificate | nindent 6 }} + {{- end }} + {{- if .caCertificate }} + caCertificate: | + {{- .caCertificate | nindent 6 }} + {{- end }} + {{- if .destinationCACertificate }} + destinationCACertificate: | + {{- .destinationCACertificate | nindent 6 }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/templates/tests/test-http-connection.yaml b/templates/tests/test-http-connection.yaml index da28ea6..c47d2d4 100644 --- a/templates/tests/test-http-connection.yaml +++ b/templates/tests/test-http-connection.yaml @@ -9,9 +9,18 @@ metadata: annotations: "helm.sh/hook": test-success spec: + {{- $hostUsers := include "gitea.hostUsers" . | trim }} + {{- $testContainerSecurityContext := include "gitea.containerSecurityContext" (list . (dict)) | trim }} + {{- if $hostUsers }} + hostUsers: {{ $hostUsers }} + {{- end }} containers: - name: wget image: "{{ .Values.test.image.name }}:{{ .Values.test.image.tag }}" + {{- if $testContainerSecurityContext }} + securityContext: + {{- $testContainerSecurityContext | nindent 8 }} + {{- end }} command: ['wget'] args: ['{{ include "gitea.fullname" . }}-http:{{ .Values.service.http.port }}'] restartPolicy: Never diff --git a/unittests/helm/config/server-section_domain.yaml b/unittests/helm/config/server-section_domain.yaml index cf5a3b8..3fa141b 100644 --- a/unittests/helm/config/server-section_domain.yaml +++ b/unittests/helm/config/server-section_domain.yaml @@ -65,3 +65,41 @@ tests: matchRegex: path: stringData.server pattern: \nROOT_URL=http://provided.example.com + + ################################################ + + - it: "[route enabled] uses route host for DOMAIN|SSH_DOMAIN|ROOT_URL" + template: templates/gitea/config.yaml + set: + route: + enabled: true + host: route.example.com + asserts: + - documentIndex: 0 + matchRegex: + path: stringData.server + pattern: \nDOMAIN=route.example.com + - documentIndex: 0 + matchRegex: + path: stringData.server + pattern: \nSSH_DOMAIN=route.example.com + - documentIndex: 0 + matchRegex: + path: stringData.server + pattern: \nROOT_URL=http://route.example.com + + ################################################ + + - it: "[route tls termination] uses https for ROOT_URL" + template: templates/gitea/config.yaml + set: + route: + enabled: true + host: route.example.com + tls: + termination: edge + asserts: + - documentIndex: 0 + matchRegex: + path: stringData.server + pattern: \nROOT_URL=https://route.example.com diff --git a/unittests/helm/deployment/openshift.yaml b/unittests/helm/deployment/openshift.yaml new file mode 100644 index 0000000..4fbdc8f --- /dev/null +++ b/unittests/helm/deployment/openshift.yaml @@ -0,0 +1,96 @@ +suite: deployment template (openshift) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/deployment.yaml + - templates/gitea/config.yaml +tests: + - it: renders openshift-compatible defaults for chart-managed containers + template: templates/gitea/deployment.yaml + set: + openshift.enabled: true + asserts: + - equal: + path: spec.template.spec.hostUsers + value: false + - notExists: + path: spec.template.spec.securityContext + - equal: + path: spec.template.spec.initContainers[0].securityContext + value: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + - equal: + path: spec.template.spec.initContainers[1].securityContext + value: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + - equal: + path: spec.template.spec.initContainers[2].securityContext + value: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + - equal: + path: spec.template.spec.containers[0].securityContext + value: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + + - it: does not force runAsUser 1000 for command init containers on OpenShift + template: templates/gitea/deployment.yaml + set: + openshift.enabled: true + signing.enabled: true + signing.existingSecret: custom-gpg-secret + asserts: + - notExists: + path: spec.template.spec.initContainers[2].securityContext.runAsUser + - notExists: + path: spec.template.spec.initContainers[3].securityContext.runAsUser + + - it: preserves explicit pod and container security context overrides on OpenShift + template: templates/gitea/deployment.yaml + set: + openshift: + enabled: true + hostUsers: true + podSecurityContext: + fsGroup: 1000620000 + containerSecurityContext: + runAsUser: 1000620000 + runAsGroup: 1000620000 + asserts: + - equal: + path: spec.template.spec.hostUsers + value: true + - equal: + path: spec.template.spec.securityContext + value: + fsGroup: 1000620000 + - equal: + path: spec.template.spec.initContainers[2].securityContext.runAsUser + value: 1000620000 + - equal: + path: spec.template.spec.containers[0].securityContext.runAsGroup + value: 1000620000 diff --git a/unittests/helm/route/basic.yaml b/unittests/helm/route/basic.yaml new file mode 100644 index 0000000..246d50a --- /dev/null +++ b/unittests/helm/route/basic.yaml @@ -0,0 +1,58 @@ +suite: Test route.yaml +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/route.yaml +tests: + - it: should create route when route.enabled is true + set: + route: + enabled: true + host: git.apps.example.com + path: / + annotations: + haproxy.router.openshift.io/timeout: 5m + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect + asserts: + - hasDocuments: + count: 1 + - equal: + path: metadata.name + value: gitea-unittests + - equal: + path: metadata.annotations["haproxy.router.openshift.io/timeout"] + value: 5m + - equal: + path: spec.host + value: git.apps.example.com + - equal: + path: spec.path + value: / + - equal: + path: spec.to.kind + value: Service + - equal: + path: spec.to.name + value: gitea-unittests-http + - equal: + path: spec.port.targetPort + value: http + - equal: + path: spec.wildcardPolicy + value: None + - equal: + path: spec.tls.termination + value: edge + - equal: + path: spec.tls.insecureEdgeTerminationPolicy + value: Redirect + + - it: should not create route when route.enabled is false + set: + route.enabled: false + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/helm/tests/test-http-connection.yaml b/unittests/helm/tests/test-http-connection.yaml new file mode 100644 index 0000000..ec982b8 --- /dev/null +++ b/unittests/helm/tests/test-http-connection.yaml @@ -0,0 +1,24 @@ +suite: test connection template +release: + name: gitea-unittests + namespace: testing +templates: + - templates/tests/test-http-connection.yaml +tests: + - it: renders openshift-compatible defaults for the test pod + set: + openshift.enabled: true + asserts: + - equal: + path: spec.hostUsers + value: false + - equal: + path: spec.containers[0].securityContext + value: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/values.yaml b/values.yaml index 313edd8..243124f 100644 --- a/values.yaml +++ b/values.yaml @@ -62,9 +62,14 @@ imagePullSecrets: [] ## @section Security # Security context is only usable with rootless image due to image design -## @param podSecurityContext.fsGroup Set the shared file system group for all containers in the pod. -podSecurityContext: - fsGroup: 1000 +## @param openshift.enabled Enable OpenShift compatibility defaults for chart-managed pods. Defaults to auto-detect based on the SecurityContextConstraints API. +## @param openshift.hostUsers Override the PodSpec hostUsers field for chart-managed pods. Defaults to `false` when OpenShift compatibility is enabled. +openshift: + enabled: null + hostUsers: null + +## @param podSecurityContext Pod security context. On non-OpenShift clusters the chart defaults `fsGroup` to `1000` when this map is empty. +podSecurityContext: {} ## @param containerSecurityContext Security context containerSecurityContext: {} @@ -177,6 +182,32 @@ ingress: # hosts: # - git.example.com +## @section Route +## @param route.enabled Enable OpenShift Route +## @param route.annotations Route annotations +## @param route.host Route host. When unset, OpenShift may generate one and Gitea URL defaults fall back to ingress/service values. +## @param route.path Route path +## @param route.wildcardPolicy Route wildcard policy +## @param route.tls.termination Route TLS termination type +## @param route.tls.insecureEdgeTerminationPolicy Route insecure edge termination policy +## @param route.tls.key Route TLS key +## @param route.tls.certificate Route TLS certificate +## @param route.tls.caCertificate Route TLS CA certificate +## @param route.tls.destinationCACertificate Route destination CA certificate +route: + enabled: false + annotations: {} + host: "" + path: "" + wildcardPolicy: None + tls: + termination: + insecureEdgeTerminationPolicy: + key: + certificate: + caCertificate: + destinationCACertificate: + ## @section deployment # ## @param resources Kubernetes resources