volker.raschek/helm-gitea
Archived
1
0
Fork 0
Code Issues 2 Pull Requests 7 Actions Packages Projects Releases Wiki Activity

fix: Improve OpenShift compatibility (#1066)

Browse Source
This commit is contained in:
techknowlogick
2026-04-15 14:46:54 +00:00
parent a02a7feb6e
commit b7663bb95f
9 changed files with 36 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+3 -3
View File
@@ -291,8 +291,8 @@ openshift:
When enabled, the chart applies `allowPrivilegeEscalation: false`, drops all When enabled, the chart applies `allowPrivilegeEscalation: false`, drops all
Linux capabilities, sets `runAsNonRoot: true`, uses Linux capabilities, sets `runAsNonRoot: true`, uses
`seccompProfile.type: RuntimeDefault`, and sets `hostUsers: false` unless `seccompProfile.type: RuntimeDefault`, and leaves `hostUsers` unset unless
`openshift.hostUsers` is overridden. `openshift.hostUsers` is explicitly overridden.
The deployment keeps the existing vanilla Kubernetes behavior when OpenShift The deployment keeps the existing vanilla Kubernetes behavior when OpenShift
compatibility is disabled. Auto-detection relies on the compatibility is disabled. Auto-detection relies on the
@@ -1009,7 +1009,7 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
| Name | Description | Value | | Name | Description | Value |
| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | ----- | | -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | ----- |
| `openshift.enabled` | Enable OpenShift compatibility defaults for chart-managed pods. Defaults to auto-detect based on the SecurityContextConstraints API. | `nil` | | `openshift.enabled` | Enable OpenShift compatibility defaults for chart-managed pods. Defaults to auto-detect based on the SecurityContextConstraints API. | `nil` |
| `openshift.hostUsers` | Override the PodSpec hostUsers field for chart-managed pods. Defaults to `false` when OpenShift compatibility is enabled. | `nil` | | `openshift.hostUsers` | Override the PodSpec hostUsers field for chart-managed pods. When unset, the field is omitted so the platform default is used. | `nil` |
| `podSecurityContext` | Pod security context. On non-OpenShift clusters the chart defaults `fsGroup` to `1000` when this map is empty. | `{}` | | `podSecurityContext` | Pod security context. On non-OpenShift clusters the chart defaults `fsGroup` to `1000` when this map is empty. | `{}` |
| `containerSecurityContext` | Security context | `{}` | | `containerSecurityContext` | Security context | `{}` |
| `securityContext` | Run init and Gitea containers as a specific securityContext | `{}` | | `securityContext` | Run init and Gitea containers as a specific securityContext | `{}` |
templates/_helpers.tpl
+2 -4
View File
@@ -97,8 +97,6 @@ Return the pod's hostUsers setting when OpenShift compatibility is enabled.
{{- if eq (include "gitea.openshift.enabled" . | trim) "true" -}} {{- if eq (include "gitea.openshift.enabled" . | trim) "true" -}}
{{- if kindIs "bool" .Values.openshift.hostUsers -}} {{- if kindIs "bool" .Values.openshift.hostUsers -}}
{{ ternary "true" "false" .Values.openshift.hostUsers }} {{ ternary "true" "false" .Values.openshift.hostUsers }}
{{- else -}}
false
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
@@ -222,7 +220,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- else if (index .Values "valkey-cluster").enabled -}} {{- else if (index .Values "valkey-cluster").enabled -}}
{{- printf "redis+cluster://:%s@%s-valkey-cluster-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "valkey-cluster").global.valkey.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "valkey-cluster").service.ports.valkey -}} {{- printf "redis+cluster://:%s@%s-valkey-cluster-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "valkey-cluster").global.valkey.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "valkey-cluster").service.ports.valkey -}}
{{- else if (index .Values "valkey").enabled -}} {{- else if (index .Values "valkey").enabled -}}
{{- printf "redis://:%s@%s-valkey-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "valkey").global.valkey.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "valkey").master.service.ports.valkey -}} {{- printf "redis://:%s@%s-valkey-primary.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "valkey").global.valkey.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "valkey").master.service.ports.valkey -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
@@ -238,7 +236,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- if (index .Values "valkey-cluster").enabled -}} {{- if (index .Values "valkey-cluster").enabled -}}
{{- printf "%s-valkey-cluster-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}} {{- printf "%s-valkey-cluster-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
{{- else if (index .Values "valkey").enabled -}} {{- else if (index .Values "valkey").enabled -}}
{{- printf "%s-valkey-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}} {{- printf "%s-valkey-primary.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
unittests/helm/config/cache-config.yaml
+1 -1
View File
@@ -31,7 +31,7 @@ tests:
path: stringData.cache path: stringData.cache
value: |- value: |-
ADAPTER=redis ADAPTER=redis
HOST=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s& HOST=redis://:changeme@gitea-unittests-valkey-primary.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
- it: "cache is configured correctly for 'memory' when valkey (or valkey-cluster) is disabled" - it: "cache is configured correctly for 'memory' when valkey (or valkey-cluster) is disabled"
template: templates/gitea/config.yaml template: templates/gitea/config.yaml
unittests/helm/config/queue-config.yaml
+1 -1
View File
@@ -30,7 +30,7 @@ tests:
equal: equal:
path: stringData.queue path: stringData.queue
value: |- value: |-
CONN_STR=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s& CONN_STR=redis://:changeme@gitea-unittests-valkey-primary.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
TYPE=redis TYPE=redis
- it: "queue is configured correctly for 'levelDB' when valkey (and valkey-cluster) is disabled" - it: "queue is configured correctly for 'levelDB' when valkey (and valkey-cluster) is disabled"
unittests/helm/config/session-config.yaml
+1 -1
View File
@@ -31,7 +31,7 @@ tests:
path: stringData.session path: stringData.session
value: |- value: |-
PROVIDER=redis PROVIDER=redis
PROVIDER_CONFIG=redis://:changeme@gitea-unittests-valkey-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s& PROVIDER_CONFIG=redis://:changeme@gitea-unittests-valkey-primary.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
- it: "session is configured correctly for 'memory' when valkey (and valkey-cluster) is disabled" - it: "session is configured correctly for 'memory' when valkey (and valkey-cluster) is disabled"
template: templates/gitea/config.yaml template: templates/gitea/config.yaml
unittests/helm/dependency-checks/customization-integrity-valkey.yaml
+4 -3
View File
@@ -29,18 +29,19 @@ tests:
path: data["valkey-password"] path: data["valkey-password"]
value: "Z2l0ZWEtcGFzc3dvcmQ=" value: "Z2l0ZWEtcGFzc3dvcmQ="
- it: "[valkey] renders the referenced service" - it: "[valkey] renders the referenced service"
template: charts/valkey/templates/headless-svc.yaml template: charts/valkey/templates/primary/service.yaml
asserts: asserts:
- containsDocument: - containsDocument:
kind: Service kind: Service
apiVersion: v1 apiVersion: v1
name: gitea-unittests-valkey-headless name: gitea-unittests-valkey-primary
namespace: testing namespace: testing
- documentIndex: 0 - documentIndex: 0
contains: contains:
path: spec.ports path: spec.ports
content: content:
name: tcp-redis name: tcp-redis
nodePort: null
port: 6379 port: 6379
targetPort: redis targetPort: redis
- it: "[gitea] waits for valkey to be up and running" - it: "[gitea] waits for valkey to be up and running"
@@ -49,4 +50,4 @@ tests:
- documentIndex: 0 - documentIndex: 0
matchRegex: matchRegex:
path: stringData["configure_gitea.sh"] path: stringData["configure_gitea.sh"]
pattern: nc -vz -w2 gitea-unittests-valkey-headless.testing.svc.cluster.local 6379 pattern: nc -vz -w2 gitea-unittests-valkey-primary.testing.svc.cluster.local 6379
unittests/helm/deployment/openshift.yaml
+12 -2
View File
@@ -11,9 +11,8 @@ tests:
set: set:
openshift.enabled: true openshift.enabled: true
asserts: asserts:
- equal: - notExists:
path: spec.template.spec.hostUsers path: spec.template.spec.hostUsers
value: false
- notExists: - notExists:
path: spec.template.spec.securityContext path: spec.template.spec.securityContext
- equal: - equal:
@@ -94,3 +93,14 @@ tests:
- equal: - equal:
path: spec.template.spec.containers[0].securityContext.runAsGroup path: spec.template.spec.containers[0].securityContext.runAsGroup
value: 1000620000 value: 1000620000
- it: renders an explicit hostUsers=false override on OpenShift
template: templates/gitea/deployment.yaml
set:
openshift:
enabled: true
hostUsers: false
asserts:
- equal:
path: spec.template.spec.hostUsers
value: false
unittests/helm/tests/test-http-connection.yaml
+11 -2
View File
@@ -9,9 +9,8 @@ tests:
set: set:
openshift.enabled: true openshift.enabled: true
asserts: asserts:
- equal: - notExists:
path: spec.hostUsers path: spec.hostUsers
value: false
- equal: - equal:
path: spec.containers[0].securityContext path: spec.containers[0].securityContext
value: value:
@@ -22,3 +21,13 @@ tests:
runAsNonRoot: true runAsNonRoot: true
seccompProfile: seccompProfile:
type: RuntimeDefault type: RuntimeDefault
- it: renders an explicit hostUsers=false override for the test pod
set:
openshift:
enabled: true
hostUsers: false
asserts:
- equal:
path: spec.hostUsers
value: false
values.yaml
+1 -1
View File
@@ -63,7 +63,7 @@ imagePullSecrets: []
## @section Security ## @section Security
# Security context is only usable with rootless image due to image design # Security context is only usable with rootless image due to image design
## @param openshift.enabled Enable OpenShift compatibility defaults for chart-managed pods. Defaults to auto-detect based on the SecurityContextConstraints API. ## @param openshift.enabled Enable OpenShift compatibility defaults for chart-managed pods. Defaults to auto-detect based on the SecurityContextConstraints API.
## @param openshift.hostUsers Override the PodSpec hostUsers field for chart-managed pods. Defaults to `false` when OpenShift compatibility is enabled. ## @param openshift.hostUsers Override the PodSpec hostUsers field for chart-managed pods. When unset, the field is omitted so the platform default is used.
openshift: openshift:
enabled: null enabled: null
hostUsers: null hostUsers: null