volker.raschek/helm-gitea
Archived
1
0
Fork 0
Code Issues 2 Pull Requests 7 Actions Packages Projects Releases Wiki Activity

fix: Improve OpenShift compatibility (#1066)

Browse Source
This commit is contained in:
techknowlogick
2026-04-15 14:46:54 +00:00
parent a02a7feb6e
commit b7663bb95f
9 changed files with 36 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+3 -3
View File
@@ -291,8 +291,8 @@ openshift:
When enabled, the chart applies `allowPrivilegeEscalation: false`, drops all
Linux capabilities, sets `runAsNonRoot: true`, uses
`seccompProfile.type: RuntimeDefault`, and sets `hostUsers: false` unless
`openshift.hostUsers` is overridden.
`seccompProfile.type: RuntimeDefault`, and leaves `hostUsers` unset unless
`openshift.hostUsers` is explicitly overridden.
The deployment keeps the existing vanilla Kubernetes behavior when OpenShift
compatibility is disabled. Auto-detection relies on the
@@ -1009,7 +1009,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
| Name | Description | Value |
| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | ----- |
| `openshift.enabled` | Enable OpenShift compatibility defaults for chart-managed pods. Defaults to auto-detect based on the SecurityContextConstraints API. | `nil` |
| `openshift.hostUsers` | Override the PodSpec hostUsers field for chart-managed pods. Defaults to `false` when OpenShift compatibility is enabled. | `nil` |
| `openshift.hostUsers` | Override the PodSpec hostUsers field for chart-managed pods. When unset, the field is omitted so the platform default is used. | `nil` |
| `podSecurityContext` | Pod security context. On non-OpenShift clusters the chart defaults `fsGroup` to `1000` when this map is empty. | `{}` |
| `containerSecurityContext` | Security context | `{}` |
| `securityContext` | Run init and Gitea containers as a specific securityContext | `{}` |
templates/_helpers.tpl
+2 -4
View File
@@ -97,8 +97,6 @@ Return the pod's hostUsers setting when OpenShift compatibility is enabled.
{{- if eq (include "gitea.openshift.enabled" . | trim) "true" -}}
{{- if kindIs "bool" .Values.openshift.hostUsers -}}
{{ ternary "true" "false" .Values.openshift.hostUsers }}
{{- else -}}
false
{{- end -}}
{{- end -}}
{{- end -}}
@@ -222,7 +220,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- else if (index .Values "valkey-cluster").enabled -}}
{{- printf "redis+cluster://:%s@%s-valkey-cluster-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "valkey-cluster").global.valkey.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "valkey-cluster").service.ports.valkey -}}
{{- else if (index .Values "valkey").enabled -}}
{{- printf "redis://:%s@%s-valkey-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "valkey").global.valkey.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "valkey").master.service.ports.valkey -}}
{{- printf "redis://:%s@%s-valkey-primary.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "valkey").global.valkey.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "valkey").master.service.ports.valkey -}}
{{- end -}}
{{- end -}}
@@ -238,7 +236,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- if (index .Values "valkey-cluster").enabled -}}
{{- printf "%s-valkey-cluster-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
{{- else if (index .Values "valkey").enabled -}}
{{- printf "%s-valkey-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
{{- printf "%s-valkey-primary.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
{{- end -}}
{{- end -}}
unittests/helm/config/cache-config.yaml
+1 -1
View File
@@ -31,7 +31,7 @@ tests:
path: stringData.cache
value: |-
ADAPTER=redis
HOST=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
HOST=redis://:changeme@gitea-unittests-valkey-primary.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
- it: "cache is configured correctly for 'memory' when valkey (or valkey-cluster) is disabled"
template: templates/gitea/config.yaml
unittests/helm/config/queue-config.yaml
+1 -1
View File
@@ -30,7 +30,7 @@ tests:
equal:
path: stringData.queue
value: |-
CONN_STR=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
CONN_STR=redis://:changeme@gitea-unittests-valkey-primary.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
TYPE=redis
- it: "queue is configured correctly for 'levelDB' when valkey (and valkey-cluster) is disabled"
unittests/helm/config/session-config.yaml
+1 -1
View File
@@ -31,7 +31,7 @@ tests:
path: stringData.session
value: |-
PROVIDER=redis
PROVIDER_CONFIG=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
PROVIDER_CONFIG=redis://:changeme@gitea-unittests-valkey-primary.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
- it: "session is configured correctly for 'memory' when valkey (and valkey-cluster) is disabled"
template: templates/gitea/config.yaml
unittests/helm/dependency-checks/customization-integrity-valkey.yaml
+4 -3
View File
@@ -29,18 +29,19 @@ tests:
path: data["valkey-password"]
value: "Z2l0ZWEtcGFzc3dvcmQ="
- it: "[valkey] renders the referenced service"
template: charts/valkey/templates/headless-svc.yaml
template: charts/valkey/templates/primary/service.yaml
asserts:
- containsDocument:
kind: Service
apiVersion: v1
name: gitea-unittests-valkey-headless
name: gitea-unittests-valkey-primary
namespace: testing
- documentIndex: 0
contains:
path: spec.ports
content:
name: tcp-redis
nodePort: null
port: 6379
targetPort: redis
- it: "[gitea] waits for valkey to be up and running"
@@ -49,4 +50,4 @@ tests:
- documentIndex: 0
matchRegex:
path: stringData["configure_gitea.sh"]
pattern: nc -vz -w2 gitea-unittests-valkey-headless.testing.svc.cluster.local 6379
pattern: nc -vz -w2 gitea-unittests-valkey-primary.testing.svc.cluster.local 6379
unittests/helm/deployment/openshift.yaml
+12 -2
View File
@@ -11,9 +11,8 @@ tests:
set:
openshift.enabled: true
asserts:
- equal:
- notExists:
path: spec.template.spec.hostUsers
value: false
- notExists:
path: spec.template.spec.securityContext
- equal:
@@ -94,3 +93,14 @@ tests:
- equal:
path: spec.template.spec.containers[0].securityContext.runAsGroup
value: 1000620000
- it: renders an explicit hostUsers=false override on OpenShift
template: templates/gitea/deployment.yaml
set:
openshift:
enabled: true
hostUsers: false
asserts:
- equal:
path: spec.template.spec.hostUsers
value: false
unittests/helm/tests/test-http-connection.yaml
+11 -2
View File
@@ -9,9 +9,8 @@ tests:
set:
openshift.enabled: true
asserts:
- equal:
- notExists:
path: spec.hostUsers
value: false
- equal:
path: spec.containers[0].securityContext
value:
@@ -22,3 +21,13 @@ tests:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
- it: renders an explicit hostUsers=false override for the test pod
set:
openshift:
enabled: true
hostUsers: false
asserts:
- equal:
path: spec.hostUsers
value: false
values.yaml
+1 -1
View File
@@ -63,7 +63,7 @@ imagePullSecrets: []
## @section Security
# Security context is only usable with rootless image due to image design
## @param openshift.enabled Enable OpenShift compatibility defaults for chart-managed pods. Defaults to auto-detect based on the SecurityContextConstraints API.
## @param openshift.hostUsers Override the PodSpec hostUsers field for chart-managed pods. Defaults to `false` when OpenShift compatibility is enabled.
## @param openshift.hostUsers Override the PodSpec hostUsers field for chart-managed pods. When unset, the field is omitted so the platform default is used.
openshift:
enabled: null
hostUsers: null