### Description of the change
This PR adds support for gpg key setup. It allows to pass the gpg private key content inline inside `values.yaml` or refer to an existing secret containing the key content data.
### Benefits
Administrators don't need to manually setup the gpg environment from inside a running container. It also eliminates the breaking change of Gitea 1.17 regarding `[git].HOME` as the `GNUPGHOME` environment variable is used consistently to relocate the `.gnupg` directory to its former location.
### Applicable issues
- fixes#107
### Additional information
This PR add the first unit tests to this Helm Chart, ensuring templating integrity for signing related configuration.
### Checklist
- [x] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm)
Co-authored-by: justusbunsi <sk.bunsenbrenner@gmail.com>
Co-authored-by: pat-s <pat-s@noreply.gitea.io>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/343
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: justusbunsi <justusbunsi@noreply.gitea.io>
Co-committed-by: justusbunsi <justusbunsi@noreply.gitea.io>
### Description of the change
Checking the existence of the config directory should be done with the directory path itself. Not its parent directory.
This simple fix addresses that by using the config directory for its existence check.
### Benefits
Prior to #337 there was no other way to install this helm chart using the `extraVolumeMounts` setting with these values:
```yaml
replicaCount: %d
extraVolumes:
- name: config-volume
configMap:
name: %s
extraVolumeMounts:
- name: config-volume
mountPath: /data/gitea/templates/custom
```
Without this fix, the Gitea pod would never initialize, and would crashloop with the same error in #296.
### Additional information
Mounting a configMap to `/data/gitea/templates/custom` causes the `/data/gitea` folder to exist even though the `/data/gitea/conf` had not been initialized yet. The initialization script saw that the `/data/gitea` dir existed and exited early without initializing `/data/gitea/conf`.
Co-authored-by: cboin1996 <christianboin@hotmail.com>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/310
Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.io>
Reviewed-by: pat-s <pat-s@noreply.gitea.io>
Co-authored-by: cboin1996 <cboin1996@noreply.gitea.io>
Co-committed-by: cboin1996 <cboin1996@noreply.gitea.io>
## Context
PR #259 introduced support for running Gitea as a uid different than 1000 (git) or 0 (root).
## Problem
In init_directory_structure.sh, there is a "chown 1000:1000" on /tmp/gitea.
This chown only works when running as root or when the target directory is already owned by uid 1000.
As a result, the init container "init-directories" fails on startup when running Gitea with a uid different from 0 or 1000.
Initially, I worked around it by implementing an "initPreScript". But it would make user's life easier if we can make it work out-of-the-box.
## Resolution
I'm taking model on the chown a few lines above that depends on the value of image.rootless. Since the chown only works on default (root) image and is useless on rootless image, there is no need to run it on rootless image.
Co-authored-by: Nicolas MASSE <nicolas.masse@itix.fr>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/266
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.io>
Co-authored-by: nmasse-itix <nmasse-itix@noreply.gitea.io>
Co-committed-by: nmasse-itix <nmasse-itix@noreply.gitea.io>
These changes rewrite the init script to be error aware, informative and have a bit more security awareness.
During rewrite several hidden bugs could be identified and fixed, such as:
- LDAP configuration options interpreted by the shell before passed to command
- Finding multiple ldap ids instead of one during lookup when their names are almost identical
e.g. `_my-ldap-auth` and `my-ldap-auth`
- Properly filter auth sources by their types to prevent unintended type converting attempts that fail
In addition to that the script is a bit cleaner. Some commands do not exist anymore and would cause false-positive errors during script execution.
Helps for: #149
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/178
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: justusbunsi <justusbunsi@noreply.gitea.io>
Co-committed-by: justusbunsi <justusbunsi@noreply.gitea.io>
There are currently 2 issues that prevent using this chart to deploy gitea with a SQLite3 database.
1) The value from *gitea.config.database.HOST* is used to set *db.servicename* when all the databases under *gitea.database.buildIn* are not enabled. This causes a type error during the template processing:
`Error: UPGRADE FAILED: template: gitea/templates/gitea/init.yaml:24:20: executing "gitea/templates/gitea/init.yaml" at <include "db.servicename" .>: error calling include: template: gitea/templates/_helpers.tpl:64:31: executing "db.servicename" at <.Values.gitea.config.database.HOST>: wrong type for value; expected string; got interface {}`
2) In *init_gitea.sh*, we use the value *db.servicename* and *db.port* to ping the database. If this database responds to ping, we proceed with the init. The problem here is that *db.port* is not set when all the databases under *gitea.database.buildIn* are disabled. In turn, this raises an error from busybox's *nc*, because no parameter is passed for *PORT*. This causes the init container to go in *CrashLoopBackOff* forever.
The simple fix that is proposed in this PR is to check wether or not *.Values.gitea.config.database.DB_TYPE* is set to determine the value *db.servicename*. If *DB_TYPE* is *'sqlite3'*, leave *db.servicename* empty and use that to bypass the database ping.
Co-authored-by: Baptiste Covolato <b.covolato@gmail.com>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/124
Reviewed-by: Andrew Thornton <art27@cantab.net>
Reviewed-by: lafriks <lafriks@noreply.gitea.io>
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Co-authored-by: Nakrez <nakrez@noreply.gitea.io>
Co-committed-by: Nakrez <nakrez@noreply.gitea.io>
This PR adds a few new chart features which adds to the flexibility of the chart.
- allow extra volumes to be mounted (such as secrets): 2f862c5a48
- pass environment variables also to the init-container: 7044049478
- allow a preparation script to be "injected" into the init-container: 6125a69345
As a concrete example of how this can be used, I use is to configure Gitea to use client certificate authentication against an external Postgres database. That could be accomplished by having a `gitea-postgres-ssl` secret:
```
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: gitea-postgres-ssl
data:
postgresql.crt: <base64...>
postgresql.key: <base64...>
root.crt: <base64...>
```
and then mounting this as a volume in Gitea using:
```
extraVolumes:
- name: postgres-ssl-vol
secret:
secretName: gitea-postgres-ssl
extraVolumeMounts:
- name: postgres-ssl-vol
readOnly: true
mountPath: "/pg-ssl"
```
To get the right permissions on the credentials, we'd use the `initPreScript`:
```
initPreScript: |
# copy postgres client and CA cert from mount and
# give proper permissions
mkdir -p /data/git/.postgresql
cp /pg-ssl/* /data/git/.postgresql/
chown -R git:git /data/git/.postgresql/
chmod 400 /data/git/.postgresql/postgresql.key
```
and to make sure that Gitea uses the certificate we need to pass the proper postgres environment variables (both to the init container and the "main" container):
```
statefulset:
env:
- name: "PGSSLCERT"
value: "/data/git/.postgresql/postgresql.crt"
- name: "PGSSLKEY"
value: "/data/git/.postgresql/postgresql.key"
- name: "PGSSLROOTCERT"
value: "/data/git/.postgresql/root.crt"
```
Co-authored-by: Peter Gardfjäll <peter.gardfjall.work@gmail.com>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/47
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: 6543 <6543@obermui.de>
Co-authored-by: petergardfjall <petergardfjall@noreply.gitea.io>
Co-committed-by: petergardfjall <petergardfjall@noreply.gitea.io>
