feat: enhance openshift support (#1063)

### Description of the change Add options to values.yaml to make chart easier to install in restricted openshift environments ### Benefits more people can run this ### Checklist  - [x] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm) - [ ] Breaking changes are documented in the `README.md` - [x] Helm templating unittests are added (required when changing anything in `templates` folder) - [ ] Bash unittests are added (required when changing anything in `scripts` folder) - [x] All added template resources MUST render a namespace in metadata --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Reviewed-on: https://gitea.com/gitea/helm-gitea/pulls/1063 Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.com> Co-committed-by: techknowlogick <techknowlogick@gitea.com>
2026-04-14 06:19:15 +00:00
parent e725a53e1c
commit a02a7feb6e
11 changed files with 497 additions and 37 deletions
@@ -76,6 +76,89 @@ imagePullSecrets:
 {{- end }}
 {{- end -}}

+{{/*
+Return true when OpenShift compatibility defaults should be rendered.
+If openshift.enabled is unset, auto-detect via the SCC API.
+*/}}
+{{- define "gitea.openshift.enabled" -}}
+{{- if kindIs "bool" .Values.openshift.enabled -}}
+{{ ternary "true" "false" .Values.openshift.enabled }}
+{{- else if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" -}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the pod's hostUsers setting when OpenShift compatibility is enabled.
+*/}}
+{{- define "gitea.hostUsers" -}}
+{{- if eq (include "gitea.openshift.enabled" . | trim) "true" -}}
+{{- if kindIs "bool" .Values.openshift.hostUsers -}}
+{{ ternary "true" "false" .Values.openshift.hostUsers }}
+{{- else -}}
+false
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Render pod securityContext. On non-OpenShift clusters an empty map defaults fsGroup to 1000.
+*/}}
+{{- define "gitea.podSecurityContext" -}}
+{{- $podSecurityContext := deepCopy .Values.podSecurityContext -}}
+{{- if and (ne (include "gitea.openshift.enabled" . | trim) "true") (not (hasKey $podSecurityContext "fsGroup")) -}}
+{{- $_ := set $podSecurityContext "fsGroup" 1000 -}}
+{{- end -}}
+{{- if gt (len $podSecurityContext) 0 -}}
+{{ toYaml $podSecurityContext }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Render container securityContext with OpenShift restricted SCC defaults when enabled.
+*/}}
+{{- define "gitea.containerSecurityContext" -}}
+{{- $root := index . 0 -}}
+{{- $containerSecurityContext := deepCopy (index . 1) -}}
+{{- if eq (include "gitea.openshift.enabled" $root | trim) "true" -}}
+{{- $containerSecurityContext = mergeOverwrite (dict
+  "allowPrivilegeEscalation" false
+  "capabilities" (dict "drop" (list "ALL"))
+  "runAsNonRoot" true
+  "seccompProfile" (dict "type" "RuntimeDefault")
+) $containerSecurityContext -}}
+{{- end -}}
+{{- if gt (len $containerSecurityContext) 0 -}}
+{{ toYaml $containerSecurityContext }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Render the securityContext for init containers that execute Gitea/GPG commands.
+These default to runAsUser 1000 outside OpenShift to preserve existing behavior.
+*/}}
+{{- define "gitea.commandInitContainerSecurityContext" -}}
+{{- $root := index . 0 -}}
+{{- $containerSecurityContext := deepCopy (index . 1) -}}
+{{- if and (ne (include "gitea.openshift.enabled" $root | trim) "true") (not (hasKey $containerSecurityContext "runAsUser")) -}}
+{{- $_ := set $containerSecurityContext "runAsUser" 1000 -}}
+{{- end -}}
+{{- include "gitea.containerSecurityContext" (list $root $containerSecurityContext) -}}
+{{- end -}}
+
+{{/*
+Render the runtime container securityContext while honoring the deprecated securityContext value.
+*/}}
+{{- define "gitea.runtimeContainerSecurityContext" -}}
+{{- $containerSecurityContext := deepCopy .Values.containerSecurityContext -}}
+{{- if and (eq (len $containerSecurityContext) 0) .Values.securityContext -}}
+{{- $containerSecurityContext = deepCopy .Values.securityContext -}}
+{{- end -}}
+{{- include "gitea.containerSecurityContext" (list . $containerSecurityContext) -}}
+{{- end -}}
+

 {{/*
 Storage Class
@@ -163,6 +246,16 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- printf "%s-http.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain -}}
 {{- end -}}

+{{- define "gitea.public_hostname" -}}
+{{- if and .Values.route.enabled .Values.route.host -}}
+{{ tpl .Values.route.host . }}
+{{- else if gt (len .Values.ingress.hosts) 0 -}}
+{{ tpl (index .Values.ingress.hosts 0).host $ }}
+{{- else -}}
+{{ include "gitea.default_domain" . }}
+{{- end -}}
+{{- end -}}
+
 {{- define "gitea.ldap_settings" -}}
 {{- $idx := index . 0 }}
 {{- $values := index . 1 }}
@@ -213,7 +306,9 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}

 {{- define "gitea.public_protocol" -}}
-{{- if and .Values.ingress.enabled (gt (len .Values.ingress.tls) 0) -}}
+{{- if and .Values.route.enabled .Values.route.tls.termination -}}
+https
+{{- else if and .Values.ingress.enabled (gt (len .Values.ingress.tls) 0) -}}
 https
 {{- else -}}
 {{ .Values.gitea.config.server.PROTOCOL }}
@@ -346,11 +441,7 @@ https
    {{- $_ := set .Values.gitea.config.server "PROTOCOL" "http" -}}
  {{- end -}}
  {{- if not (.Values.gitea.config.server.DOMAIN) -}}
-    {{- if gt (len .Values.ingress.hosts) 0 -}}
-      {{- $_ := set .Values.gitea.config.server "DOMAIN" ( tpl (index .Values.ingress.hosts 0).host $) -}}
-    {{- else -}}
-      {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}}
-    {{- end -}}
+    {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.public_hostname" .) -}}
  {{- end -}}
  {{- if not .Values.gitea.config.server.ROOT_URL -}}
    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "gitea.public_protocol" .) .Values.gitea.config.server.DOMAIN) -}}