diff --git a/README.md b/README.md index 5dfaf5f..df17bea 100644 --- a/README.md +++ b/README.md @@ -291,8 +291,8 @@ openshift: When enabled, the chart applies `allowPrivilegeEscalation: false`, drops all Linux capabilities, sets `runAsNonRoot: true`, uses -`seccompProfile.type: RuntimeDefault`, and sets `hostUsers: false` unless -`openshift.hostUsers` is overridden. +`seccompProfile.type: RuntimeDefault`, and leaves `hostUsers` unset unless +`openshift.hostUsers` is explicitly overridden. The deployment keeps the existing vanilla Kubernetes behavior when OpenShift compatibility is disabled. Auto-detection relies on the @@ -1009,7 +1009,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo | Name | Description | Value | | -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | ----- | | `openshift.enabled` | Enable OpenShift compatibility defaults for chart-managed pods. Defaults to auto-detect based on the SecurityContextConstraints API. | `nil` | -| `openshift.hostUsers` | Override the PodSpec hostUsers field for chart-managed pods. Defaults to `false` when OpenShift compatibility is enabled. | `nil` | +| `openshift.hostUsers` | Override the PodSpec hostUsers field for chart-managed pods. When unset, the field is omitted so the platform default is used. | `nil` | | `podSecurityContext` | Pod security context. On non-OpenShift clusters the chart defaults `fsGroup` to `1000` when this map is empty. | `{}` | | `containerSecurityContext` | Security context | `{}` | | `securityContext` | Run init and Gitea containers as a specific securityContext | `{}` | diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index e4a1156..410ca2b 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -97,8 +97,6 @@ Return the pod's hostUsers setting when OpenShift compatibility is enabled. {{- if eq (include "gitea.openshift.enabled" . | trim) "true" -}} {{- if kindIs "bool" .Values.openshift.hostUsers -}} {{ ternary "true" "false" .Values.openshift.hostUsers }} -{{- else -}} -false {{- end -}} {{- end -}} {{- end -}} @@ -222,7 +220,7 @@ app.kubernetes.io/instance: {{ .Release.Name }} {{- else if (index .Values "valkey-cluster").enabled -}} {{- printf "redis+cluster://:%s@%s-valkey-cluster-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "valkey-cluster").global.valkey.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "valkey-cluster").service.ports.valkey -}} {{- else if (index .Values "valkey").enabled -}} -{{- printf "redis://:%s@%s-valkey-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "valkey").global.valkey.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "valkey").master.service.ports.valkey -}} +{{- printf "redis://:%s@%s-valkey-primary.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "valkey").global.valkey.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "valkey").master.service.ports.valkey -}} {{- end -}} {{- end -}} @@ -238,7 +236,7 @@ app.kubernetes.io/instance: {{ .Release.Name }} {{- if (index .Values "valkey-cluster").enabled -}} {{- printf "%s-valkey-cluster-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}} {{- else if (index .Values "valkey").enabled -}} -{{- printf "%s-valkey-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}} +{{- printf "%s-valkey-primary.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}} {{- end -}} {{- end -}} diff --git a/unittests/helm/config/cache-config.yaml b/unittests/helm/config/cache-config.yaml index 45b2a5b..c0d4f22 100644 --- a/unittests/helm/config/cache-config.yaml +++ b/unittests/helm/config/cache-config.yaml @@ -31,7 +31,7 @@ tests: path: stringData.cache value: |- ADAPTER=redis - HOST=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s& + HOST=redis://:changeme@gitea-unittests-valkey-primary.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s& - it: "cache is configured correctly for 'memory' when valkey (or valkey-cluster) is disabled" template: templates/gitea/config.yaml diff --git a/unittests/helm/config/queue-config.yaml b/unittests/helm/config/queue-config.yaml index 86793f9..9113568 100644 --- a/unittests/helm/config/queue-config.yaml +++ b/unittests/helm/config/queue-config.yaml @@ -30,7 +30,7 @@ tests: equal: path: stringData.queue value: |- - CONN_STR=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s& + CONN_STR=redis://:changeme@gitea-unittests-valkey-primary.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s& TYPE=redis - it: "queue is configured correctly for 'levelDB' when valkey (and valkey-cluster) is disabled" diff --git a/unittests/helm/config/session-config.yaml b/unittests/helm/config/session-config.yaml index 9c50c61..e518fb5 100644 --- a/unittests/helm/config/session-config.yaml +++ b/unittests/helm/config/session-config.yaml @@ -31,7 +31,7 @@ tests: path: stringData.session value: |- PROVIDER=redis - PROVIDER_CONFIG=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s& + PROVIDER_CONFIG=redis://:changeme@gitea-unittests-valkey-primary.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s& - it: "session is configured correctly for 'memory' when valkey (and valkey-cluster) is disabled" template: templates/gitea/config.yaml diff --git a/unittests/helm/dependency-checks/customization-integrity-valkey.yaml b/unittests/helm/dependency-checks/customization-integrity-valkey.yaml index 40c0fc0..27afe1e 100644 --- a/unittests/helm/dependency-checks/customization-integrity-valkey.yaml +++ b/unittests/helm/dependency-checks/customization-integrity-valkey.yaml @@ -29,18 +29,19 @@ tests: path: data["valkey-password"] value: "Z2l0ZWEtcGFzc3dvcmQ=" - it: "[valkey] renders the referenced service" - template: charts/valkey/templates/headless-svc.yaml + template: charts/valkey/templates/primary/service.yaml asserts: - containsDocument: kind: Service apiVersion: v1 - name: gitea-unittests-valkey-headless + name: gitea-unittests-valkey-primary namespace: testing - documentIndex: 0 contains: path: spec.ports content: name: tcp-redis + nodePort: null port: 6379 targetPort: redis - it: "[gitea] waits for valkey to be up and running" @@ -49,4 +50,4 @@ tests: - documentIndex: 0 matchRegex: path: stringData["configure_gitea.sh"] - pattern: nc -vz -w2 gitea-unittests-valkey-headless.testing.svc.cluster.local 6379 + pattern: nc -vz -w2 gitea-unittests-valkey-primary.testing.svc.cluster.local 6379 diff --git a/unittests/helm/deployment/openshift.yaml b/unittests/helm/deployment/openshift.yaml index 4fbdc8f..655a859 100644 --- a/unittests/helm/deployment/openshift.yaml +++ b/unittests/helm/deployment/openshift.yaml @@ -11,9 +11,8 @@ tests: set: openshift.enabled: true asserts: - - equal: + - notExists: path: spec.template.spec.hostUsers - value: false - notExists: path: spec.template.spec.securityContext - equal: @@ -94,3 +93,14 @@ tests: - equal: path: spec.template.spec.containers[0].securityContext.runAsGroup value: 1000620000 + + - it: renders an explicit hostUsers=false override on OpenShift + template: templates/gitea/deployment.yaml + set: + openshift: + enabled: true + hostUsers: false + asserts: + - equal: + path: spec.template.spec.hostUsers + value: false diff --git a/unittests/helm/tests/test-http-connection.yaml b/unittests/helm/tests/test-http-connection.yaml index ec982b8..52a94d1 100644 --- a/unittests/helm/tests/test-http-connection.yaml +++ b/unittests/helm/tests/test-http-connection.yaml @@ -9,9 +9,8 @@ tests: set: openshift.enabled: true asserts: - - equal: + - notExists: path: spec.hostUsers - value: false - equal: path: spec.containers[0].securityContext value: @@ -22,3 +21,13 @@ tests: runAsNonRoot: true seccompProfile: type: RuntimeDefault + + - it: renders an explicit hostUsers=false override for the test pod + set: + openshift: + enabled: true + hostUsers: false + asserts: + - equal: + path: spec.hostUsers + value: false diff --git a/values.yaml b/values.yaml index 243124f..e695c28 100644 --- a/values.yaml +++ b/values.yaml @@ -63,7 +63,7 @@ imagePullSecrets: [] ## @section Security # Security context is only usable with rootless image due to image design ## @param openshift.enabled Enable OpenShift compatibility defaults for chart-managed pods. Defaults to auto-detect based on the SecurityContextConstraints API. -## @param openshift.hostUsers Override the PodSpec hostUsers field for chart-managed pods. Defaults to `false` when OpenShift compatibility is enabled. +## @param openshift.hostUsers Override the PodSpec hostUsers field for chart-managed pods. When unset, the field is omitted so the platform default is used. openshift: enabled: null hostUsers: null