feat: enhance openshift support (#1063)

### Description of the change Add options to values.yaml to make chart easier to install in restricted openshift environments ### Benefits more people can run this ### Checklist  - [x] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm) - [ ] Breaking changes are documented in the `README.md` - [x] Helm templating unittests are added (required when changing anything in `templates` folder) - [ ] Bash unittests are added (required when changing anything in `scripts` folder) - [x] All added template resources MUST render a namespace in metadata --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Reviewed-on: https://gitea.com/gitea/helm-gitea/pulls/1063 Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.com> Co-committed-by: techknowlogick <techknowlogick@gitea.com>
2026-04-14 06:19:15 +00:00
parent e725a53e1c
commit a02a7feb6e
11 changed files with 497 additions and 37 deletions
@@ -1,5 +1,12 @@
 1. Get the application URL by running these commands:
-{{- if .Values.ingress.enabled }}
+{{- if .Values.route.enabled }}
+  {{- if .Values.route.host }}
+  {{ include "gitea.public_protocol" . }}://{{ tpl .Values.route.host . }}{{ .Values.route.path }}
+  {{- else }}
+  export ROUTE_HOST=$(kubectl get route --namespace {{ .Release.Namespace }} {{ include "gitea.fullname" . }} -o jsonpath="{.spec.host}")
+  echo {{ include "gitea.public_protocol" . }}://$ROUTE_HOST{{ .Values.route.path }}
+  {{- end }}
+{{- else if .Values.ingress.enabled }}
 {{- range $host := .Values.ingress.hosts }}
  {{- range .paths }}
  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
@@ -76,6 +76,89 @@ imagePullSecrets:
 {{- end }}
 {{- end -}}

+{{/*
+Return true when OpenShift compatibility defaults should be rendered.
+If openshift.enabled is unset, auto-detect via the SCC API.
+*/}}
+{{- define "gitea.openshift.enabled" -}}
+{{- if kindIs "bool" .Values.openshift.enabled -}}
+{{ ternary "true" "false" .Values.openshift.enabled }}
+{{- else if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" -}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the pod's hostUsers setting when OpenShift compatibility is enabled.
+*/}}
+{{- define "gitea.hostUsers" -}}
+{{- if eq (include "gitea.openshift.enabled" . | trim) "true" -}}
+{{- if kindIs "bool" .Values.openshift.hostUsers -}}
+{{ ternary "true" "false" .Values.openshift.hostUsers }}
+{{- else -}}
+false
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Render pod securityContext. On non-OpenShift clusters an empty map defaults fsGroup to 1000.
+*/}}
+{{- define "gitea.podSecurityContext" -}}
+{{- $podSecurityContext := deepCopy .Values.podSecurityContext -}}
+{{- if and (ne (include "gitea.openshift.enabled" . | trim) "true") (not (hasKey $podSecurityContext "fsGroup")) -}}
+{{- $_ := set $podSecurityContext "fsGroup" 1000 -}}
+{{- end -}}
+{{- if gt (len $podSecurityContext) 0 -}}
+{{ toYaml $podSecurityContext }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Render container securityContext with OpenShift restricted SCC defaults when enabled.
+*/}}
+{{- define "gitea.containerSecurityContext" -}}
+{{- $root := index . 0 -}}
+{{- $containerSecurityContext := deepCopy (index . 1) -}}
+{{- if eq (include "gitea.openshift.enabled" $root | trim) "true" -}}
+{{- $containerSecurityContext = mergeOverwrite (dict
+  "allowPrivilegeEscalation" false
+  "capabilities" (dict "drop" (list "ALL"))
+  "runAsNonRoot" true
+  "seccompProfile" (dict "type" "RuntimeDefault")
+) $containerSecurityContext -}}
+{{- end -}}
+{{- if gt (len $containerSecurityContext) 0 -}}
+{{ toYaml $containerSecurityContext }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Render the securityContext for init containers that execute Gitea/GPG commands.
+These default to runAsUser 1000 outside OpenShift to preserve existing behavior.
+*/}}
+{{- define "gitea.commandInitContainerSecurityContext" -}}
+{{- $root := index . 0 -}}
+{{- $containerSecurityContext := deepCopy (index . 1) -}}
+{{- if and (ne (include "gitea.openshift.enabled" $root | trim) "true") (not (hasKey $containerSecurityContext "runAsUser")) -}}
+{{- $_ := set $containerSecurityContext "runAsUser" 1000 -}}
+{{- end -}}
+{{- include "gitea.containerSecurityContext" (list $root $containerSecurityContext) -}}
+{{- end -}}
+
+{{/*
+Render the runtime container securityContext while honoring the deprecated securityContext value.
+*/}}
+{{- define "gitea.runtimeContainerSecurityContext" -}}
+{{- $containerSecurityContext := deepCopy .Values.containerSecurityContext -}}
+{{- if and (eq (len $containerSecurityContext) 0) .Values.securityContext -}}
+{{- $containerSecurityContext = deepCopy .Values.securityContext -}}
+{{- end -}}
+{{- include "gitea.containerSecurityContext" (list . $containerSecurityContext) -}}
+{{- end -}}
+

 {{/*
 Storage Class
@@ -163,6 +246,16 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- printf "%s-http.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain -}}
 {{- end -}}

+{{- define "gitea.public_hostname" -}}
+{{- if and .Values.route.enabled .Values.route.host -}}
+{{ tpl .Values.route.host . }}
+{{- else if gt (len .Values.ingress.hosts) 0 -}}
+{{ tpl (index .Values.ingress.hosts 0).host $ }}
+{{- else -}}
+{{ include "gitea.default_domain" . }}
+{{- end -}}
+{{- end -}}
+
 {{- define "gitea.ldap_settings" -}}
 {{- $idx := index . 0 }}
 {{- $values := index . 1 }}
@@ -213,7 +306,9 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}

 {{- define "gitea.public_protocol" -}}
-{{- if and .Values.ingress.enabled (gt (len .Values.ingress.tls) 0) -}}
+{{- if and .Values.route.enabled .Values.route.tls.termination -}}
+https
+{{- else if and .Values.ingress.enabled (gt (len .Values.ingress.tls) 0) -}}
 https
 {{- else -}}
 {{ .Values.gitea.config.server.PROTOCOL }}
@@ -346,11 +441,7 @@ https
    {{- $_ := set .Values.gitea.config.server "PROTOCOL" "http" -}}
  {{- end -}}
  {{- if not (.Values.gitea.config.server.DOMAIN) -}}
-    {{- if gt (len .Values.ingress.hosts) 0 -}}
-      {{- $_ := set .Values.gitea.config.server "DOMAIN" ( tpl (index .Values.ingress.hosts 0).host $) -}}
-    {{- else -}}
-      {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}}
-    {{- end -}}
+    {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.public_hostname" .) -}}
  {{- end -}}
  {{- if not .Values.gitea.config.server.ROOT_URL -}}
    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "gitea.public_protocol" .) .Values.gitea.config.server.DOMAIN) -}}
@@ -43,6 +43,11 @@ spec:
        {{- toYaml .Values.deployment.labels | nindent 8 }}
        {{- end }}
    spec:
+      {{- $hostUsers := include "gitea.hostUsers" . | trim }}
+      {{- $podSecurityContext := include "gitea.podSecurityContext" . | trim }}
+      {{- $containerSecurityContext := include "gitea.containerSecurityContext" (list . (deepCopy .Values.containerSecurityContext)) | trim }}
+      {{- $commandInitContainerSecurityContext := include "gitea.commandInitContainerSecurityContext" (list . (deepCopy .Values.containerSecurityContext)) | trim }}
+      {{- $runtimeContainerSecurityContext := include "gitea.runtimeContainerSecurityContext" . | trim }}
      {{- if .Values.schedulerName }}
      schedulerName: "{{ .Values.schedulerName }}"
      {{- end }}
@@ -52,9 +57,14 @@ spec:
      {{- if .Values.priorityClassName }}
      priorityClassName: "{{ .Values.priorityClassName }}"
      {{- end }}
+      {{- if $hostUsers }}
+      hostUsers: {{ $hostUsers }}
+      {{- end }}
      {{- include "gitea.images.pullSecrets" . | nindent 6 }}
+      {{- if $podSecurityContext }}
      securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- $podSecurityContext | nindent 8 }}
+      {{- end }}
      initContainers:
        {{- if .Values.preExtraInitContainers }}
        {{- toYaml .Values.preExtraInitContainers | nindent 8 }}
@@ -91,8 +101,10 @@ spec:
              subPath: {{ .Values.persistence.subPath }}
              {{- end }}
            {{- include "gitea.init-additional-mounts" . | nindent 12 }}
+          {{- if $containerSecurityContext }}
          securityContext:
-            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+            {{- $containerSecurityContext | nindent 12 }}
+          {{- end }}
          resources:
            {{- toYaml .Values.initContainers.resources | nindent 12 }}
        - name: init-app-ini
@@ -144,8 +156,10 @@ spec:
              mountPath: "/env-to-ini-mounts/additionals/{{ $idx }}/"
            {{- end }}
            {{- include "gitea.init-additional-mounts" . | nindent 12 }}
+          {{- if $containerSecurityContext }}
          securityContext:
-            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+            {{- $containerSecurityContext | nindent 12 }}
+          {{- end }}
          resources:
            {{- toYaml .Values.initContainers.resources | nindent 12 }}
        {{- if .Values.signing.enabled }}
@@ -162,13 +176,10 @@ spec:
          - "{{ .Values.initContainersScriptsVolumeMountPath }}/configure_gpg_environment.sh"
          {{- end }}
          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if $commandInitContainerSecurityContext }}
          securityContext:
-            {{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
-            {{- $csc := deepCopy .Values.containerSecurityContext -}}
-            {{- if not (hasKey $csc "runAsUser") -}}
-            {{- $_ := set $csc "runAsUser" 1000 -}}
-            {{- end -}}
-            {{- toYaml $csc | nindent 12 }}
+            {{- $commandInitContainerSecurityContext | nindent 12 }}
+          {{- end }}
          env:
            - name: GNUPGHOME
              value: {{ .Values.signing.gpgHome }}
@@ -204,13 +215,10 @@ spec:
          - "{{ .Values.initContainersScriptsVolumeMountPath }}/configure_gitea.sh"
          {{- end }}
          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if $commandInitContainerSecurityContext }}
          securityContext:
-            {{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
-            {{- $csc := deepCopy .Values.containerSecurityContext -}}
-            {{- if not (hasKey $csc "runAsUser") -}}
-            {{- $_ := set $csc "runAsUser" 1000 -}}
-            {{- end -}}
-            {{- toYaml $csc | nindent 12 }}
+            {{- $commandInitContainerSecurityContext | nindent 12 }}
+          {{- end }}
          env:
            - name: GITEA_APP_INI
              value: /data/gitea/conf/app.ini
@@ -368,13 +376,10 @@ spec:
          {{- end }}
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
+          {{- if $runtimeContainerSecurityContext }}
          securityContext:
-            {{- /* Honor the deprecated securityContext variable when defined */ -}}
-            {{- if .Values.containerSecurityContext -}}
-            {{ toYaml .Values.containerSecurityContext | nindent 12 -}}
-            {{- else -}}
-            {{ toYaml .Values.securityContext | nindent 12 -}}
-            {{- end }}
+            {{- $runtimeContainerSecurityContext | nindent 12 }}
+          {{- end }}
          volumeMounts:
            - name: temp
              mountPath: /tmp
@@ -0,0 +1,52 @@
+{{- if .Values.route.enabled -}}
+{{- $fullName := include "gitea.fullname" . -}}
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: {{ $fullName }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+  {{- with .Values.route.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.route.host }}
+  host: {{ tpl .Values.route.host . | quote }}
+  {{- end }}
+  {{- if .Values.route.path }}
+  path: {{ tpl .Values.route.path . | quote }}
+  {{- end }}
+  to:
+    kind: Service
+    name: {{ $fullName }}-http
+  port:
+    targetPort: http
+  wildcardPolicy: {{ .Values.route.wildcardPolicy }}
+  {{- with .Values.route.tls }}
+  {{- if .termination }}
+  tls:
+    termination: {{ .termination }}
+    {{- if .insecureEdgeTerminationPolicy }}
+    insecureEdgeTerminationPolicy: {{ .insecureEdgeTerminationPolicy }}
+    {{- end }}
+    {{- if .key }}
+    key: |
+      {{- .key | nindent 6 }}
+    {{- end }}
+    {{- if .certificate }}
+    certificate: |
+      {{- .certificate | nindent 6 }}
+    {{- end }}
+    {{- if .caCertificate }}
+    caCertificate: |
+      {{- .caCertificate | nindent 6 }}
+    {{- end }}
+    {{- if .destinationCACertificate }}
+    destinationCACertificate: |
+      {{- .destinationCACertificate | nindent 6 }}
+    {{- end }}
+  {{- end }}
+  {{- end }}
+{{- end }}
@@ -9,9 +9,18 @@ metadata:
  annotations:
    "helm.sh/hook": test-success
 spec:
+  {{- $hostUsers := include "gitea.hostUsers" . | trim }}
+  {{- $testContainerSecurityContext := include "gitea.containerSecurityContext" (list . (dict)) | trim }}
+  {{- if $hostUsers }}
+  hostUsers: {{ $hostUsers }}
+  {{- end }}
  containers:
    - name: wget
      image: "{{ .Values.test.image.name }}:{{ .Values.test.image.tag }}"
+      {{- if $testContainerSecurityContext }}
+      securityContext:
+        {{- $testContainerSecurityContext | nindent 8 }}
+      {{- end }}
      command: ['wget']
      args:  ['{{ include "gitea.fullname" . }}-http:{{ .Values.service.http.port }}']
  restartPolicy: Never