volker.raschek/helm-gitea
Archived
1
0
Fork 0
Code Issues 2 Pull Requests 7 Actions Packages Projects Releases Wiki Activity

feat: enhance openshift support (#1063)

Browse Source 
### Description of the change

Add options to values.yaml to make chart easier to install in restricted openshift environments

### Benefits

more people can run this

### Checklist

<!-- [Place an '[X]' (no spaces) in all applicable fields. Please remove unrelated fields.] -->

- [x] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm)
- [ ] Breaking changes are documented in the `README.md`
- [x] Helm templating unittests are added (required when changing anything in `templates` folder)
- [ ] Bash unittests are added (required when changing anything in `scripts` folder)
- [x] All added template resources MUST render a namespace in metadata

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Reviewed-on: https://gitea.com/gitea/helm-gitea/pulls/1063
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: techknowlogick <techknowlogick@gitea.com>
Co-committed-by: techknowlogick <techknowlogick@gitea.com>
This commit is contained in:
techknowlogick
2026-04-14 06:19:15 +00:00
committed by Lunny Xiao
parent e725a53e1c
commit a02a7feb6e
11 changed files with 497 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+55 -6
View File
@@ -280,6 +280,37 @@ If `.Values.image.rootless: true`, then the following will occur. In case you us
[see deployment.yaml](./templates/gitea/deployment.yaml) template inside container "env" declarations [see deployment.yaml](./templates/gitea/deployment.yaml) template inside container "env" declarations
#### OpenShift Compatibility
When installing on OpenShift, enable the compatibility profile so chart-managed pods render SCC-safe defaults and the Gitea init containers stop forcing `runAsUser: 1000`:
```yaml
openshift:
enabled: true
```
When enabled, the chart applies `allowPrivilegeEscalation: false`, drops all
Linux capabilities, sets `runAsNonRoot: true`, uses
`seccompProfile.type: RuntimeDefault`, and sets `hostUsers: false` unless
`openshift.hostUsers` is overridden.
The deployment keeps the existing vanilla Kubernetes behavior when OpenShift
compatibility is disabled. Auto-detection relies on the
`security.openshift.io/v1/SecurityContextConstraints` API, so set
`openshift.enabled: true` explicitly when rendering outside a live cluster.
If you also want to expose Gitea through an OpenShift Route, enable the optional Route resource:
```yaml
route:
enabled: true
host: git.apps.example.com
tls:
termination: edge
```
When `route.host` is set, the chart uses it for `DOMAIN`, `SSH_DOMAIN`, and `ROOT_URL`. Setting `route.tls.termination` also switches the default `ROOT_URL` scheme to `https`.
#### Session, Cache and Queue #### Session, Cache and Queue
The session, cache and queue settings are set to use the built-in Valkey Cluster sub-chart dependency. The session, cache and queue settings are set to use the built-in Valkey Cluster sub-chart dependency.
@@ -975,12 +1006,14 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
### Security ### Security
| Name | Description | Value | | Name | Description | Value |
| ---------------------------- | --------------------------------------------------------------- | ------ | | -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | ----- |
| `podSecurityContext.fsGroup` | Set the shared file system group for all containers in the pod. | `1000` | | `openshift.enabled` | Enable OpenShift compatibility defaults for chart-managed pods. Defaults to auto-detect based on the SecurityContextConstraints API. | `nil` |
| `containerSecurityContext` | Security context | `{}` | | `openshift.hostUsers` | Override the PodSpec hostUsers field for chart-managed pods. Defaults to `false` when OpenShift compatibility is enabled. | `nil` |
| `securityContext` | Run init and Gitea containers as a specific securityContext | `{}` | | `podSecurityContext` | Pod security context. On non-OpenShift clusters the chart defaults `fsGroup` to `1000` when this map is empty. | `{}` |
| `podDisruptionBudget` | Pod disruption budget | `{}` | | `containerSecurityContext` | Security context | `{}` |
| `securityContext` | Run init and Gitea containers as a specific securityContext | `{}` |
| `podDisruptionBudget` | Pod disruption budget | `{}` |
### Service ### Service
@@ -1026,6 +1059,22 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
| `ingress.hosts[0].paths[0].path` | Default Ingress path | `/` | | `ingress.hosts[0].paths[0].path` | Default Ingress path | `/` |
| `ingress.tls` | Ingress tls settings | `[]` | | `ingress.tls` | Ingress tls settings | `[]` |
### Route
| Name | Description | Value |
| ----------------------------------------- | -------------------------------------------------------------------------------------------------------------- | ------- |
| `route.enabled` | Enable OpenShift Route | `false` |
| `route.annotations` | Route annotations | `{}` |
| `route.host` | Route host. When unset, OpenShift may generate one and Gitea URL defaults fall back to ingress/service values. | `""` |
| `route.path` | Route path | `""` |
| `route.wildcardPolicy` | Route wildcard policy | `None` |
| `route.tls.termination` | Route TLS termination type | `nil` |
| `route.tls.insecureEdgeTerminationPolicy` | Route insecure edge termination policy | `nil` |
| `route.tls.key` | Route TLS key | `nil` |
| `route.tls.certificate` | Route TLS certificate | `nil` |
| `route.tls.caCertificate` | Route TLS CA certificate | `nil` |
| `route.tls.destinationCACertificate` | Route destination CA certificate | `nil` |
### deployment ### deployment
| Name | Description | Value | | Name | Description | Value |
templates/NOTES.txt
+8 -1
View File
@@ -1,5 +1,12 @@
1. Get the application URL by running these commands: 1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }} {{- if .Values.route.enabled }}
{{- if .Values.route.host }}
{{ include "gitea.public_protocol" . }}://{{ tpl .Values.route.host . }}{{ .Values.route.path }}
{{- else }}
export ROUTE_HOST=$(kubectl get route --namespace {{ .Release.Namespace }} {{ include "gitea.fullname" . }} -o jsonpath="{.spec.host}")
echo {{ include "gitea.public_protocol" . }}://$ROUTE_HOST{{ .Values.route.path }}
{{- end }}
{{- else if .Values.ingress.enabled }}
{{- range $host := .Values.ingress.hosts }} {{- range $host := .Values.ingress.hosts }}
{{- range .paths }} {{- range .paths }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
templates/_helpers.tpl
+97 -6
View File
@@ -76,6 +76,89 @@ imagePullSecrets:
{{- end }} {{- end }}
{{- end -}} {{- end -}}
{{/*
Return true when OpenShift compatibility defaults should be rendered.
If openshift.enabled is unset, auto-detect via the SCC API.
*/}}
{{- define "gitea.openshift.enabled" -}}
{{- if kindIs "bool" .Values.openshift.enabled -}}
{{ ternary "true" "false" .Values.openshift.enabled }}
{{- else if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" -}}
true
{{- else -}}
false
{{- end -}}
{{- end -}}
{{/*
Return the pod's hostUsers setting when OpenShift compatibility is enabled.
*/}}
{{- define "gitea.hostUsers" -}}
{{- if eq (include "gitea.openshift.enabled" . | trim) "true" -}}
{{- if kindIs "bool" .Values.openshift.hostUsers -}}
{{ ternary "true" "false" .Values.openshift.hostUsers }}
{{- else -}}
false
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Render pod securityContext. On non-OpenShift clusters an empty map defaults fsGroup to 1000.
*/}}
{{- define "gitea.podSecurityContext" -}}
{{- $podSecurityContext := deepCopy .Values.podSecurityContext -}}
{{- if and (ne (include "gitea.openshift.enabled" . | trim) "true") (not (hasKey $podSecurityContext "fsGroup")) -}}
{{- $_ := set $podSecurityContext "fsGroup" 1000 -}}
{{- end -}}
{{- if gt (len $podSecurityContext) 0 -}}
{{ toYaml $podSecurityContext }}
{{- end -}}
{{- end -}}
{{/*
Render container securityContext with OpenShift restricted SCC defaults when enabled.
*/}}
{{- define "gitea.containerSecurityContext" -}}
{{- $root := index . 0 -}}
{{- $containerSecurityContext := deepCopy (index . 1) -}}
{{- if eq (include "gitea.openshift.enabled" $root | trim) "true" -}}
{{- $containerSecurityContext = mergeOverwrite (dict
"allowPrivilegeEscalation" false
"capabilities" (dict "drop" (list "ALL"))
"runAsNonRoot" true
"seccompProfile" (dict "type" "RuntimeDefault")
) $containerSecurityContext -}}
{{- end -}}
{{- if gt (len $containerSecurityContext) 0 -}}
{{ toYaml $containerSecurityContext }}
{{- end -}}
{{- end -}}
{{/*
Render the securityContext for init containers that execute Gitea/GPG commands.
These default to runAsUser 1000 outside OpenShift to preserve existing behavior.
*/}}
{{- define "gitea.commandInitContainerSecurityContext" -}}
{{- $root := index . 0 -}}
{{- $containerSecurityContext := deepCopy (index . 1) -}}
{{- if and (ne (include "gitea.openshift.enabled" $root | trim) "true") (not (hasKey $containerSecurityContext "runAsUser")) -}}
{{- $_ := set $containerSecurityContext "runAsUser" 1000 -}}
{{- end -}}
{{- include "gitea.containerSecurityContext" (list $root $containerSecurityContext) -}}
{{- end -}}
{{/*
Render the runtime container securityContext while honoring the deprecated securityContext value.
*/}}
{{- define "gitea.runtimeContainerSecurityContext" -}}
{{- $containerSecurityContext := deepCopy .Values.containerSecurityContext -}}
{{- if and (eq (len $containerSecurityContext) 0) .Values.securityContext -}}
{{- $containerSecurityContext = deepCopy .Values.securityContext -}}
{{- end -}}
{{- include "gitea.containerSecurityContext" (list . $containerSecurityContext) -}}
{{- end -}}
{{/* {{/*
Storage Class Storage Class
@@ -163,6 +246,16 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- printf "%s-http.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain -}} {{- printf "%s-http.%s.svc.%s" (include "gitea.fullname" .) .Release.Namespace .Values.clusterDomain -}}
{{- end -}} {{- end -}}
{{- define "gitea.public_hostname" -}}
{{- if and .Values.route.enabled .Values.route.host -}}
{{ tpl .Values.route.host . }}
{{- else if gt (len .Values.ingress.hosts) 0 -}}
{{ tpl (index .Values.ingress.hosts 0).host $ }}
{{- else -}}
{{ include "gitea.default_domain" . }}
{{- end -}}
{{- end -}}
{{- define "gitea.ldap_settings" -}} {{- define "gitea.ldap_settings" -}}
{{- $idx := index . 0 }} {{- $idx := index . 0 }}
{{- $values := index . 1 }} {{- $values := index . 1 }}
@@ -213,7 +306,9 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}} {{- end -}}
{{- define "gitea.public_protocol" -}} {{- define "gitea.public_protocol" -}}
{{- if and .Values.ingress.enabled (gt (len .Values.ingress.tls) 0) -}} {{- if and .Values.route.enabled .Values.route.tls.termination -}}
https
{{- else if and .Values.ingress.enabled (gt (len .Values.ingress.tls) 0) -}}
https https
{{- else -}} {{- else -}}
{{ .Values.gitea.config.server.PROTOCOL }} {{ .Values.gitea.config.server.PROTOCOL }}
@@ -346,11 +441,7 @@ https
{{- $_ := set .Values.gitea.config.server "PROTOCOL" "http" -}} {{- $_ := set .Values.gitea.config.server "PROTOCOL" "http" -}}
{{- end -}} {{- end -}}
{{- if not (.Values.gitea.config.server.DOMAIN) -}} {{- if not (.Values.gitea.config.server.DOMAIN) -}}
{{- if gt (len .Values.ingress.hosts) 0 -}} {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.public_hostname" .) -}}
{{- $_ := set .Values.gitea.config.server "DOMAIN" ( tpl (index .Values.ingress.hosts 0).host $) -}}
{{- else -}}
{{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}}
{{- end -}}
{{- end -}} {{- end -}}
{{- if not .Values.gitea.config.server.ROOT_URL -}} {{- if not .Values.gitea.config.server.ROOT_URL -}}
{{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "gitea.public_protocol" .) .Values.gitea.config.server.DOMAIN) -}} {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "gitea.public_protocol" .) .Values.gitea.config.server.DOMAIN) -}}
templates/gitea/deployment.yaml
+26 -21
View File
@@ -43,6 +43,11 @@ spec:
{{- toYaml .Values.deployment.labels | nindent 8 }} {{- toYaml .Values.deployment.labels | nindent 8 }}
{{- end }} {{- end }}
spec: spec:
{{- $hostUsers := include "gitea.hostUsers" . | trim }}
{{- $podSecurityContext := include "gitea.podSecurityContext" . | trim }}
{{- $containerSecurityContext := include "gitea.containerSecurityContext" (list . (deepCopy .Values.containerSecurityContext)) | trim }}
{{- $commandInitContainerSecurityContext := include "gitea.commandInitContainerSecurityContext" (list . (deepCopy .Values.containerSecurityContext)) | trim }}
{{- $runtimeContainerSecurityContext := include "gitea.runtimeContainerSecurityContext" . | trim }}
{{- if .Values.schedulerName }} {{- if .Values.schedulerName }}
schedulerName: "{{ .Values.schedulerName }}" schedulerName: "{{ .Values.schedulerName }}"
{{- end }} {{- end }}
@@ -52,9 +57,14 @@ spec:
{{- if .Values.priorityClassName }} {{- if .Values.priorityClassName }}
priorityClassName: "{{ .Values.priorityClassName }}" priorityClassName: "{{ .Values.priorityClassName }}"
{{- end }} {{- end }}
{{- if $hostUsers }}
hostUsers: {{ $hostUsers }}
{{- end }}
{{- include "gitea.images.pullSecrets" . | nindent 6 }} {{- include "gitea.images.pullSecrets" . | nindent 6 }}
{{- if $podSecurityContext }}
securityContext: securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }} {{- $podSecurityContext | nindent 8 }}
{{- end }}
initContainers: initContainers:
{{- if .Values.preExtraInitContainers }} {{- if .Values.preExtraInitContainers }}
{{- toYaml .Values.preExtraInitContainers | nindent 8 }} {{- toYaml .Values.preExtraInitContainers | nindent 8 }}
@@ -91,8 +101,10 @@ spec:
subPath: {{ .Values.persistence.subPath }} subPath: {{ .Values.persistence.subPath }}
{{- end }} {{- end }}
{{- include "gitea.init-additional-mounts" . | nindent 12 }} {{- include "gitea.init-additional-mounts" . | nindent 12 }}
{{- if $containerSecurityContext }}
securityContext: securityContext:
{{- toYaml .Values.containerSecurityContext | nindent 12 }} {{- $containerSecurityContext | nindent 12 }}
{{- end }}
resources: resources:
{{- toYaml .Values.initContainers.resources | nindent 12 }} {{- toYaml .Values.initContainers.resources | nindent 12 }}
- name: init-app-ini - name: init-app-ini
@@ -144,8 +156,10 @@ spec:
mountPath: "/env-to-ini-mounts/additionals/{{ $idx }}/" mountPath: "/env-to-ini-mounts/additionals/{{ $idx }}/"
{{- end }} {{- end }}
{{- include "gitea.init-additional-mounts" . | nindent 12 }} {{- include "gitea.init-additional-mounts" . | nindent 12 }}
{{- if $containerSecurityContext }}
securityContext: securityContext:
{{- toYaml .Values.containerSecurityContext | nindent 12 }} {{- $containerSecurityContext | nindent 12 }}
{{- end }}
resources: resources:
{{- toYaml .Values.initContainers.resources | nindent 12 }} {{- toYaml .Values.initContainers.resources | nindent 12 }}
{{- if .Values.signing.enabled }} {{- if .Values.signing.enabled }}
@@ -162,13 +176,10 @@ spec:
- "{{ .Values.initContainersScriptsVolumeMountPath }}/configure_gpg_environment.sh" - "{{ .Values.initContainersScriptsVolumeMountPath }}/configure_gpg_environment.sh"
{{- end }} {{- end }}
imagePullPolicy: {{ .Values.image.pullPolicy }} imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if $commandInitContainerSecurityContext }}
securityContext: securityContext:
{{- /* By default this container runs as user 1000 unless otherwise stated */ -}} {{- $commandInitContainerSecurityContext | nindent 12 }}
{{- $csc := deepCopy .Values.containerSecurityContext -}} {{- end }}
{{- if not (hasKey $csc "runAsUser") -}}
{{- $_ := set $csc "runAsUser" 1000 -}}
{{- end -}}
{{- toYaml $csc | nindent 12 }}
env: env:
- name: GNUPGHOME - name: GNUPGHOME
value: {{ .Values.signing.gpgHome }} value: {{ .Values.signing.gpgHome }}
@@ -204,13 +215,10 @@ spec:
- "{{ .Values.initContainersScriptsVolumeMountPath }}/configure_gitea.sh" - "{{ .Values.initContainersScriptsVolumeMountPath }}/configure_gitea.sh"
{{- end }} {{- end }}
imagePullPolicy: {{ .Values.image.pullPolicy }} imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if $commandInitContainerSecurityContext }}
securityContext: securityContext:
{{- /* By default this container runs as user 1000 unless otherwise stated */ -}} {{- $commandInitContainerSecurityContext | nindent 12 }}
{{- $csc := deepCopy .Values.containerSecurityContext -}} {{- end }}
{{- if not (hasKey $csc "runAsUser") -}}
{{- $_ := set $csc "runAsUser" 1000 -}}
{{- end -}}
{{- toYaml $csc | nindent 12 }}
env: env:
- name: GITEA_APP_INI - name: GITEA_APP_INI
value: /data/gitea/conf/app.ini value: /data/gitea/conf/app.ini
@@ -368,13 +376,10 @@ spec:
{{- end }} {{- end }}
resources: resources:
{{- toYaml .Values.resources | nindent 12 }} {{- toYaml .Values.resources | nindent 12 }}
{{- if $runtimeContainerSecurityContext }}
securityContext: securityContext:
{{- /* Honor the deprecated securityContext variable when defined */ -}} {{- $runtimeContainerSecurityContext | nindent 12 }}
{{- if .Values.containerSecurityContext -}} {{- end }}
{{ toYaml .Values.containerSecurityContext | nindent 12 -}}
{{- else -}}
{{ toYaml .Values.securityContext | nindent 12 -}}
{{- end }}
volumeMounts: volumeMounts:
- name: temp - name: temp
mountPath: /tmp mountPath: /tmp
templates/gitea/route.yaml
+52
View File
@@ -0,0 +1,52 @@
{{- if .Values.route.enabled -}}
{{- $fullName := include "gitea.fullname" . -}}
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: {{ $fullName }}
namespace: {{ .Values.namespace | default .Release.Namespace }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
{{- with .Values.route.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.route.host }}
host: {{ tpl .Values.route.host . | quote }}
{{- end }}
{{- if .Values.route.path }}
path: {{ tpl .Values.route.path . | quote }}
{{- end }}
to:
kind: Service
name: {{ $fullName }}-http
port:
targetPort: http
wildcardPolicy: {{ .Values.route.wildcardPolicy }}
{{- with .Values.route.tls }}
{{- if .termination }}
tls:
termination: {{ .termination }}
{{- if .insecureEdgeTerminationPolicy }}
insecureEdgeTerminationPolicy: {{ .insecureEdgeTerminationPolicy }}
{{- end }}
{{- if .key }}
key: |
{{- .key | nindent 6 }}
{{- end }}
{{- if .certificate }}
certificate: |
{{- .certificate | nindent 6 }}
{{- end }}
{{- if .caCertificate }}
caCertificate: |
{{- .caCertificate | nindent 6 }}
{{- end }}
{{- if .destinationCACertificate }}
destinationCACertificate: |
{{- .destinationCACertificate | nindent 6 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
templates/tests/test-http-connection.yaml
+9
View File
@@ -9,9 +9,18 @@ metadata:
annotations: annotations:
"helm.sh/hook": test-success "helm.sh/hook": test-success
spec: spec:
{{- $hostUsers := include "gitea.hostUsers" . | trim }}
{{- $testContainerSecurityContext := include "gitea.containerSecurityContext" (list . (dict)) | trim }}
{{- if $hostUsers }}
hostUsers: {{ $hostUsers }}
{{- end }}
containers: containers:
- name: wget - name: wget
image: "{{ .Values.test.image.name }}:{{ .Values.test.image.tag }}" image: "{{ .Values.test.image.name }}:{{ .Values.test.image.tag }}"
{{- if $testContainerSecurityContext }}
securityContext:
{{- $testContainerSecurityContext | nindent 8 }}
{{- end }}
command: ['wget'] command: ['wget']
args: ['{{ include "gitea.fullname" . }}-http:{{ .Values.service.http.port }}'] args: ['{{ include "gitea.fullname" . }}-http:{{ .Values.service.http.port }}']
restartPolicy: Never restartPolicy: Never
unittests/helm/config/server-section_domain.yaml
+38
View File
@@ -65,3 +65,41 @@ tests:
matchRegex: matchRegex:
path: stringData.server path: stringData.server
pattern: \nROOT_URL=http://provided.example.com pattern: \nROOT_URL=http://provided.example.com
################################################
- it: "[route enabled] uses route host for DOMAIN|SSH_DOMAIN|ROOT_URL"
template: templates/gitea/config.yaml
set:
route:
enabled: true
host: route.example.com
asserts:
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: \nDOMAIN=route.example.com
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: \nSSH_DOMAIN=route.example.com
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: \nROOT_URL=http://route.example.com
################################################
- it: "[route tls termination] uses https for ROOT_URL"
template: templates/gitea/config.yaml
set:
route:
enabled: true
host: route.example.com
tls:
termination: edge
asserts:
- documentIndex: 0
matchRegex:
path: stringData.server
pattern: \nROOT_URL=https://route.example.com
unittests/helm/deployment/openshift.yaml
+96
View File
@@ -0,0 +1,96 @@
suite: deployment template (openshift)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/deployment.yaml
- templates/gitea/config.yaml
tests:
- it: renders openshift-compatible defaults for chart-managed containers
template: templates/gitea/deployment.yaml
set:
openshift.enabled: true
asserts:
- equal:
path: spec.template.spec.hostUsers
value: false
- notExists:
path: spec.template.spec.securityContext
- equal:
path: spec.template.spec.initContainers[0].securityContext
value:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
- equal:
path: spec.template.spec.initContainers[1].securityContext
value:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
- equal:
path: spec.template.spec.initContainers[2].securityContext
value:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
- equal:
path: spec.template.spec.containers[0].securityContext
value:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
- it: does not force runAsUser 1000 for command init containers on OpenShift
template: templates/gitea/deployment.yaml
set:
openshift.enabled: true
signing.enabled: true
signing.existingSecret: custom-gpg-secret
asserts:
- notExists:
path: spec.template.spec.initContainers[2].securityContext.runAsUser
- notExists:
path: spec.template.spec.initContainers[3].securityContext.runAsUser
- it: preserves explicit pod and container security context overrides on OpenShift
template: templates/gitea/deployment.yaml
set:
openshift:
enabled: true
hostUsers: true
podSecurityContext:
fsGroup: 1000620000
containerSecurityContext:
runAsUser: 1000620000
runAsGroup: 1000620000
asserts:
- equal:
path: spec.template.spec.hostUsers
value: true
- equal:
path: spec.template.spec.securityContext
value:
fsGroup: 1000620000
- equal:
path: spec.template.spec.initContainers[2].securityContext.runAsUser
value: 1000620000
- equal:
path: spec.template.spec.containers[0].securityContext.runAsGroup
value: 1000620000
unittests/helm/route/basic.yaml
+58
View File
@@ -0,0 +1,58 @@
suite: Test route.yaml
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/route.yaml
tests:
- it: should create route when route.enabled is true
set:
route:
enabled: true
host: git.apps.example.com
path: /
annotations:
haproxy.router.openshift.io/timeout: 5m
tls:
termination: edge
insecureEdgeTerminationPolicy: Redirect
asserts:
- hasDocuments:
count: 1
- equal:
path: metadata.name
value: gitea-unittests
- equal:
path: metadata.annotations["haproxy.router.openshift.io/timeout"]
value: 5m
- equal:
path: spec.host
value: git.apps.example.com
- equal:
path: spec.path
value: /
- equal:
path: spec.to.kind
value: Service
- equal:
path: spec.to.name
value: gitea-unittests-http
- equal:
path: spec.port.targetPort
value: http
- equal:
path: spec.wildcardPolicy
value: None
- equal:
path: spec.tls.termination
value: edge
- equal:
path: spec.tls.insecureEdgeTerminationPolicy
value: Redirect
- it: should not create route when route.enabled is false
set:
route.enabled: false
asserts:
- hasDocuments:
count: 0
unittests/helm/tests/test-http-connection.yaml
+24
View File
@@ -0,0 +1,24 @@
suite: test connection template
release:
name: gitea-unittests
namespace: testing
templates:
- templates/tests/test-http-connection.yaml
tests:
- it: renders openshift-compatible defaults for the test pod
set:
openshift.enabled: true
asserts:
- equal:
path: spec.hostUsers
value: false
- equal:
path: spec.containers[0].securityContext
value:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
values.yaml
+34 -3
View File
@@ -62,9 +62,14 @@ imagePullSecrets: []
## @section Security ## @section Security
# Security context is only usable with rootless image due to image design # Security context is only usable with rootless image due to image design
## @param podSecurityContext.fsGroup Set the shared file system group for all containers in the pod. ## @param openshift.enabled Enable OpenShift compatibility defaults for chart-managed pods. Defaults to auto-detect based on the SecurityContextConstraints API.
podSecurityContext: ## @param openshift.hostUsers Override the PodSpec hostUsers field for chart-managed pods. Defaults to `false` when OpenShift compatibility is enabled.
fsGroup: 1000 openshift:
enabled: null
hostUsers: null
## @param podSecurityContext Pod security context. On non-OpenShift clusters the chart defaults `fsGroup` to `1000` when this map is empty.
podSecurityContext: {}
## @param containerSecurityContext Security context ## @param containerSecurityContext Security context
containerSecurityContext: {} containerSecurityContext: {}
@@ -177,6 +182,32 @@ ingress:
# hosts: # hosts:
# - git.example.com # - git.example.com
## @section Route
## @param route.enabled Enable OpenShift Route
## @param route.annotations Route annotations
## @param route.host Route host. When unset, OpenShift may generate one and Gitea URL defaults fall back to ingress/service values.
## @param route.path Route path
## @param route.wildcardPolicy Route wildcard policy
## @param route.tls.termination Route TLS termination type
## @param route.tls.insecureEdgeTerminationPolicy Route insecure edge termination policy
## @param route.tls.key Route TLS key
## @param route.tls.certificate Route TLS certificate
## @param route.tls.caCertificate Route TLS CA certificate
## @param route.tls.destinationCACertificate Route destination CA certificate
route:
enabled: false
annotations: {}
host: ""
path: ""
wildcardPolicy: None
tls:
termination:
insecureEdgeTerminationPolicy:
key:
certificate:
caCertificate:
destinationCACertificate:
## @section deployment ## @section deployment
# #
## @param resources Kubernetes resources ## @param resources Kubernetes resources