You've already forked helm-gitea
Compare commits
9 Commits
Author | SHA1 | Date | |
---|---|---|---|
513ad81228 | |||
e47edbddf9 | |||
da4120809f | |||
83c184826b | |||
ccec32c144 | |||
19e9b07e6e | |||
8b6a00603a | |||
6574b1b232 | |||
4f7bc17d34 |
29
.drone.yml
29
.drone.yml
@ -10,22 +10,31 @@ platform:
|
|||||||
steps:
|
steps:
|
||||||
- name: helm lint
|
- name: helm lint
|
||||||
pull: always
|
pull: always
|
||||||
image: alpine:3.16
|
image: alpine:3.17
|
||||||
commands:
|
commands:
|
||||||
- apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
|
- apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
|
||||||
- helm lint
|
- helm lint
|
||||||
|
|
||||||
- name: helm template
|
- name: helm template
|
||||||
pull: always
|
pull: always
|
||||||
image: alpine:3.16
|
image: alpine:3.17
|
||||||
commands:
|
commands:
|
||||||
- apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
|
- apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
|
||||||
- helm dependency update
|
- helm dependency update
|
||||||
- helm template --debug gitea-helm .
|
- helm template --debug gitea-helm .
|
||||||
|
|
||||||
|
- name: helm unittests
|
||||||
|
pull: always
|
||||||
|
image: alpine:3.17
|
||||||
|
commands:
|
||||||
|
- apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing make helm git bash
|
||||||
|
- helm plugin install https://github.com/heyhabito/helm-unittest
|
||||||
|
- helm dependency update
|
||||||
|
- make unittests
|
||||||
|
|
||||||
- name: verify readme
|
- name: verify readme
|
||||||
pull: always
|
pull: always
|
||||||
image: alpine:3.16
|
image: alpine:3.17
|
||||||
commands:
|
commands:
|
||||||
- apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing make npm git
|
- apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing make npm git
|
||||||
- make readme
|
- make readme
|
||||||
@ -61,7 +70,7 @@ trigger:
|
|||||||
steps:
|
steps:
|
||||||
- name: generate-chart
|
- name: generate-chart
|
||||||
pull: always
|
pull: always
|
||||||
image: alpine:3.16
|
image: alpine:3.17
|
||||||
commands:
|
commands:
|
||||||
- apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
|
- apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
|
||||||
- apk add --no-cache curl
|
- apk add --no-cache curl
|
||||||
@ -76,8 +85,16 @@ steps:
|
|||||||
pull: always
|
pull: always
|
||||||
image: plugins/s3:latest
|
image: plugins/s3:latest
|
||||||
settings:
|
settings:
|
||||||
bucket: gitea-artifacts
|
acl:
|
||||||
endpoint: https://ams3.digitaloceanspaces.com
|
from_secret: aws_s3_acl
|
||||||
|
region:
|
||||||
|
from_secret: aws_s3_region
|
||||||
|
bucket:
|
||||||
|
from_secret: aws_s3_bucket
|
||||||
|
endpoint:
|
||||||
|
from_secret: aws_s3_endpoint
|
||||||
|
path_style:
|
||||||
|
from_secret: aws_s3_path_style
|
||||||
access_key:
|
access_key:
|
||||||
from_secret: aws_access_key_id
|
from_secret: aws_access_key_id
|
||||||
secret_key:
|
secret_key:
|
||||||
|
1
.gitignore
vendored
1
.gitignore
vendored
@ -1,3 +1,4 @@
|
|||||||
charts/
|
charts/
|
||||||
node_modules/
|
node_modules/
|
||||||
.DS_Store
|
.DS_Store
|
||||||
|
unittests/*/__snapshot__/
|
||||||
|
@ -25,3 +25,9 @@ node_modules/
|
|||||||
package.json
|
package.json
|
||||||
package-lock.json
|
package-lock.json
|
||||||
.gitea/
|
.gitea/
|
||||||
|
Makefile
|
||||||
|
.markdownlintignore
|
||||||
|
.markdownlint.yaml
|
||||||
|
.drone.yml
|
||||||
|
CONTRIBUTING.md
|
||||||
|
unittests/
|
||||||
|
@ -50,3 +50,13 @@ be used:
|
|||||||
forwarded first from `minikube` to localhost first via `kubectl --namespace
|
forwarded first from `minikube` to localhost first via `kubectl --namespace
|
||||||
default port-forward svc/gitea-http 3000:3000`. Now Gitea is accessible at
|
default port-forward svc/gitea-http 3000:3000`. Now Gitea is accessible at
|
||||||
[http://localhost:3000](http://localhost:3000).
|
[http://localhost:3000](http://localhost:3000).
|
||||||
|
|
||||||
|
### Unit tests
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# install the unittest plugin
|
||||||
|
$ helm plugin install https://github.com/heyhabito/helm-unittest
|
||||||
|
|
||||||
|
# run the unittests
|
||||||
|
make unittests
|
||||||
|
```
|
||||||
|
@ -3,7 +3,7 @@ name: gitea
|
|||||||
description: Gitea Helm chart for Kubernetes
|
description: Gitea Helm chart for Kubernetes
|
||||||
type: application
|
type: application
|
||||||
version: 0.0.0
|
version: 0.0.0
|
||||||
appVersion: 1.17.4
|
appVersion: 1.18.4
|
||||||
icon: https://docs.gitea.io/images/gitea.png
|
icon: https://docs.gitea.io/images/gitea.png
|
||||||
|
|
||||||
keywords:
|
keywords:
|
||||||
|
4
Makefile
4
Makefile
@ -6,3 +6,7 @@ prepare-environment:
|
|||||||
readme: prepare-environment
|
readme: prepare-environment
|
||||||
npm run readme:parameters
|
npm run readme:parameters
|
||||||
npm run readme:lint
|
npm run readme:lint
|
||||||
|
|
||||||
|
.PHONY: unittests
|
||||||
|
unittests:
|
||||||
|
helm unittest --helm3 --strict -f 'unittests/**/*.yaml' ./
|
||||||
|
82
README.md
82
README.md
@ -41,24 +41,6 @@ of this document for major and breaking changes.
|
|||||||
- Helm 3.0+
|
- Helm 3.0+
|
||||||
- PV provisioner for persistent data support
|
- PV provisioner for persistent data support
|
||||||
|
|
||||||
## Configure Commit Signing
|
|
||||||
|
|
||||||
When using the rootless image the gpg key folder was is not persistent by
|
|
||||||
default. If you consider using signed commits for internal Gitea activities
|
|
||||||
(e.g. initial commit), you'd need to provide a signing key. Prior to
|
|
||||||
[PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be
|
|
||||||
re-imported once the container got replaced by another.
|
|
||||||
|
|
||||||
The mentioned PR introduced a new configuration object `signing` allowing you to
|
|
||||||
configure prerequisites for commit signing. By default this section is disabled
|
|
||||||
to maintain backwards compatibility.
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
signing:
|
|
||||||
enabled: false
|
|
||||||
gpgHome: /data/git/.gnupg
|
|
||||||
```
|
|
||||||
|
|
||||||
## Examples
|
## Examples
|
||||||
|
|
||||||
### Gitea Configuration
|
### Gitea Configuration
|
||||||
@ -525,6 +507,49 @@ gitea:
|
|||||||
...
|
...
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Configure commit signing
|
||||||
|
|
||||||
|
When using the rootless image the gpg key folder is not persistent by
|
||||||
|
default. If you consider using signed commits for internal Gitea activities
|
||||||
|
(e.g. initial commit), you'd need to provide a signing key. Prior to
|
||||||
|
[PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be
|
||||||
|
re-imported once the container got replaced by another.
|
||||||
|
|
||||||
|
The mentioned PR introduced a new configuration object `signing` allowing you to
|
||||||
|
configure prerequisites for commit signing. By default this section is disabled
|
||||||
|
to maintain backwards compatibility.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
signing:
|
||||||
|
enabled: false
|
||||||
|
gpgHome: /data/git/.gnupg
|
||||||
|
```
|
||||||
|
|
||||||
|
Regardless of the used container image the `signing` object allows to specify a
|
||||||
|
private gpg key. Either using the `signing.privateKey` to define the key inline,
|
||||||
|
or refer to an existing secret containing the key data by using `signing.existingKey`.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: custom-gitea-gpg-key
|
||||||
|
type: Opaque
|
||||||
|
stringData:
|
||||||
|
privateKey: |-
|
||||||
|
-----BEGIN PGP PRIVATE KEY BLOCK-----
|
||||||
|
...
|
||||||
|
-----END PGP PRIVATE KEY BLOCK-----
|
||||||
|
```
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
signing:
|
||||||
|
existingSecret: custom-gitea-gpg-key
|
||||||
|
```
|
||||||
|
|
||||||
|
To use the gpg key, Gitea needs to be configured accordingly. A detailed description
|
||||||
|
can be found in the [official Gitea documentation](https://docs.gitea.io/en-us/signing/#general-configuration).
|
||||||
|
|
||||||
### Metrics and profiling
|
### Metrics and profiling
|
||||||
|
|
||||||
A Prometheus `/metrics` endpoint on the `HTTP_PORT` and `pprof` profiling
|
A Prometheus `/metrics` endpoint on the `HTTP_PORT` and `pprof` profiling
|
||||||
@ -669,10 +694,12 @@ gitea:
|
|||||||
|
|
||||||
### Signing
|
### Signing
|
||||||
|
|
||||||
| Name | Description | Value |
|
| Name | Description | Value |
|
||||||
| ----------------- | ---------------------------- | ------------------ |
|
| ------------------------ | ----------------------------------------------------------------- | ------------------ |
|
||||||
| `signing.enabled` | Enable commit/action signing | `false` |
|
| `signing.enabled` | Enable commit/action signing | `false` |
|
||||||
| `signing.gpgHome` | GPG home directory | `/data/git/.gnupg` |
|
| `signing.gpgHome` | GPG home directory | `/data/git/.gnupg` |
|
||||||
|
| `signing.privateKey` | Inline private gpg key for signed Gitea actions | `""` |
|
||||||
|
| `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""` |
|
||||||
|
|
||||||
### Gitea
|
### Gitea
|
||||||
|
|
||||||
@ -786,6 +813,17 @@ See [CONTRIBUTORS GUIDE](CONTRIBUTING.md) for details.
|
|||||||
This section lists major and breaking changes of each Helm Chart version.
|
This section lists major and breaking changes of each Helm Chart version.
|
||||||
Please read them carefully to upgrade successfully.
|
Please read them carefully to upgrade successfully.
|
||||||
|
|
||||||
|
### To 7.0.0
|
||||||
|
|
||||||
|
#### Gitea 1.18.1
|
||||||
|
|
||||||
|
This Chart version updates Gitea to 1.18.1. Don't miss any application related [breaking changes of 1.18.0](https://blog.gitea.io/2022/12/gitea-1.18.0-is-released/#breaking-changes).
|
||||||
|
|
||||||
|
#### Private GPG key configuration for Gitea signing actions
|
||||||
|
|
||||||
|
Having `signing.enabled=true` now requires to use either `signing.privateKey` or `signing.existingSecret` so that the Chart can automatically prepare the GPG key for Gitea internal signing actions.
|
||||||
|
See [Configure commit signing](#configure-commit-signing) for details.
|
||||||
|
|
||||||
### To 6.0.0
|
### To 6.0.0
|
||||||
|
|
||||||
#### Different volume mounts for init-containers and runtime container
|
#### Different volume mounts for init-containers and runtime container
|
||||||
|
@ -331,3 +331,7 @@ https
|
|||||||
{{- toYaml .Values.extraVolumeMounts -}}
|
{{- toYaml .Values.extraVolumeMounts -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- define "gitea.gpg-key-secret-name" -}}
|
||||||
|
{{ default (printf "%s-gpg-key" (include "gitea.fullname" .)) .Values.signing.existingSecret }}
|
||||||
|
{{- end -}}
|
||||||
|
16
templates/gitea/gpg-secret.yaml
Normal file
16
templates/gitea/gpg-secret.yaml
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
{{- if .Values.signing.enabled -}}
|
||||||
|
{{- if and (empty .Values.signing.privateKey) (empty .Values.signing.existingSecret) -}}
|
||||||
|
{{- fail "Either specify `signing.privateKey` or `signing.existingKey`" -}}
|
||||||
|
{{- end }}
|
||||||
|
{{- if and (not (empty .Values.signing.privateKey)) (empty .Values.signing.existingSecret) -}}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: {{ include "gitea.gpg-key-secret-name" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "gitea.labels" . | nindent 4 }}
|
||||||
|
type: Opaque
|
||||||
|
data:
|
||||||
|
privateKey: {{ .Values.signing.privateKey | b64enc }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
@ -6,6 +6,11 @@ metadata:
|
|||||||
{{- include "gitea.labels" . | nindent 4 }}
|
{{- include "gitea.labels" . | nindent 4 }}
|
||||||
type: Opaque
|
type: Opaque
|
||||||
stringData:
|
stringData:
|
||||||
|
configure_gpg_environment.sh: |-
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
set -eu
|
||||||
|
|
||||||
|
gpg --batch --import /raw/private.asc
|
||||||
init_directory_structure.sh: |-
|
init_directory_structure.sh: |-
|
||||||
#!/usr/bin/env bash
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
@ -35,6 +40,14 @@ stringData:
|
|||||||
{{- end }}
|
{{- end }}
|
||||||
chmod ug+rwx "${GITEA_TEMP}"
|
chmod ug+rwx "${GITEA_TEMP}"
|
||||||
|
|
||||||
|
{{ if .Values.signing.enabled -}}
|
||||||
|
if [ ! -d "${GNUPGHOME}" ]; then
|
||||||
|
mkdir -p "${GNUPGHOME}"
|
||||||
|
chmod 700 "${GNUPGHOME}"
|
||||||
|
chown 1000:1000 "${GNUPGHOME}"
|
||||||
|
fi
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
configure_gitea.sh: |-
|
configure_gitea.sh: |-
|
||||||
#!/usr/bin/env bash
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
@ -59,6 +59,10 @@ spec:
|
|||||||
{{- if .Values.statefulset.env }}
|
{{- if .Values.statefulset.env }}
|
||||||
{{- toYaml .Values.statefulset.env | nindent 12 }}
|
{{- toYaml .Values.statefulset.env | nindent 12 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- if .Values.signing.enabled }}
|
||||||
|
- name: GNUPGHOME
|
||||||
|
value: {{ .Values.signing.gpgHome }}
|
||||||
|
{{- end }}
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: init
|
- name: init
|
||||||
mountPath: /usr/sbin
|
mountPath: /usr/sbin
|
||||||
@ -110,6 +114,36 @@ spec:
|
|||||||
{{- include "gitea.init-additional-mounts" . | nindent 12 }}
|
{{- include "gitea.init-additional-mounts" . | nindent 12 }}
|
||||||
securityContext:
|
securityContext:
|
||||||
{{- toYaml .Values.containerSecurityContext | nindent 12 }}
|
{{- toYaml .Values.containerSecurityContext | nindent 12 }}
|
||||||
|
{{- if .Values.signing.enabled }}
|
||||||
|
- name: configure-gpg
|
||||||
|
image: "{{ include "gitea.image" . }}"
|
||||||
|
command: ["/usr/sbin/configure_gpg_environment.sh"]
|
||||||
|
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||||
|
securityContext:
|
||||||
|
{{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
|
||||||
|
{{- $csc := deepCopy .Values.containerSecurityContext -}}
|
||||||
|
{{- if not (hasKey $csc "runAsUser") -}}
|
||||||
|
{{- $_ := set $csc "runAsUser" 1000 -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- toYaml $csc | nindent 12 }}
|
||||||
|
env:
|
||||||
|
- name: GNUPGHOME
|
||||||
|
value: {{ .Values.signing.gpgHome }}
|
||||||
|
volumeMounts:
|
||||||
|
- name: init
|
||||||
|
mountPath: /usr/sbin
|
||||||
|
- name: data
|
||||||
|
mountPath: /data
|
||||||
|
{{- if .Values.persistence.subPath }}
|
||||||
|
subPath: {{ .Values.persistence.subPath }}
|
||||||
|
{{- end }}
|
||||||
|
- name: gpg-private-key
|
||||||
|
mountPath: /raw
|
||||||
|
readOnly: true
|
||||||
|
{{- if .Values.extraVolumeMounts }}
|
||||||
|
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
- name: configure-gitea
|
- name: configure-gitea
|
||||||
image: "{{ include "gitea.image" . }}"
|
image: "{{ include "gitea.image" . }}"
|
||||||
command: ["/usr/sbin/configure_gitea.sh"]
|
command: ["/usr/sbin/configure_gitea.sh"]
|
||||||
@ -305,6 +339,15 @@ spec:
|
|||||||
{{- end }}
|
{{- end }}
|
||||||
- name: temp
|
- name: temp
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
|
{{- if .Values.signing.enabled }}
|
||||||
|
- name: gpg-private-key
|
||||||
|
secret:
|
||||||
|
secretName: {{ include "gitea.gpg-key-secret-name" . }}
|
||||||
|
items:
|
||||||
|
- key: privateKey
|
||||||
|
path: private.asc
|
||||||
|
defaultMode: 0100
|
||||||
|
{{- end }}
|
||||||
{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
|
{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
|
||||||
- name: data
|
- name: data
|
||||||
persistentVolumeClaim:
|
persistentVolumeClaim:
|
||||||
|
13
unittests/gpg-secret/signing-disabled.yaml
Normal file
13
unittests/gpg-secret/signing-disabled.yaml
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
suite: GPG secret template (signing disabled)
|
||||||
|
release:
|
||||||
|
name: gitea-unittests
|
||||||
|
namespace: testing
|
||||||
|
templates:
|
||||||
|
- templates/gitea/gpg-secret.yaml
|
||||||
|
tests:
|
||||||
|
- it: renders nothing
|
||||||
|
set:
|
||||||
|
signing.enabled: false
|
||||||
|
asserts:
|
||||||
|
- hasDocuments:
|
||||||
|
count: 0
|
40
unittests/gpg-secret/signing-enabled.yaml
Normal file
40
unittests/gpg-secret/signing-enabled.yaml
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
suite: GPG secret template (signing enabled)
|
||||||
|
release:
|
||||||
|
name: gitea-unittests
|
||||||
|
namespace: testing
|
||||||
|
templates:
|
||||||
|
- templates/gitea/gpg-secret.yaml
|
||||||
|
tests:
|
||||||
|
- it: fails rendering when nothing is configured
|
||||||
|
set:
|
||||||
|
signing:
|
||||||
|
enabled: true
|
||||||
|
asserts:
|
||||||
|
- failedTemplate:
|
||||||
|
errorMessage: Either specify `signing.privateKey` or `signing.existingKey`
|
||||||
|
- it: skips rendering using external secret reference
|
||||||
|
set:
|
||||||
|
signing:
|
||||||
|
enabled: true
|
||||||
|
existingSecret: "external-secret-reference"
|
||||||
|
asserts:
|
||||||
|
- hasDocuments:
|
||||||
|
count: 0
|
||||||
|
- it: renders secret specification using inline gpg key
|
||||||
|
set:
|
||||||
|
signing:
|
||||||
|
enabled: true
|
||||||
|
privateKey: "gpg-key-placeholder"
|
||||||
|
asserts:
|
||||||
|
- hasDocuments:
|
||||||
|
count: 1
|
||||||
|
- documentIndex: 0
|
||||||
|
containsDocument:
|
||||||
|
kind: Secret
|
||||||
|
apiVersion: v1
|
||||||
|
name: gitea-unittests-gpg-key
|
||||||
|
- isNotEmpty:
|
||||||
|
path: metadata.labels
|
||||||
|
- equal:
|
||||||
|
path: data.privateKey
|
||||||
|
value: "Z3BnLWtleS1wbGFjZWhvbGRlcg=="
|
15
unittests/init/basic.yaml
Normal file
15
unittests/init/basic.yaml
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
suite: Init template (basic)
|
||||||
|
release:
|
||||||
|
name: gitea-unittests
|
||||||
|
namespace: testing
|
||||||
|
templates:
|
||||||
|
- templates/gitea/init.yaml
|
||||||
|
tests:
|
||||||
|
- it: renders a secret
|
||||||
|
asserts:
|
||||||
|
- hasDocuments:
|
||||||
|
count: 1
|
||||||
|
- containsDocument:
|
||||||
|
kind: Secret
|
||||||
|
apiVersion: v1
|
||||||
|
name: gitea-unittests-init
|
64
unittests/init/init_directory_structure.sh.yaml
Normal file
64
unittests/init/init_directory_structure.sh.yaml
Normal file
@ -0,0 +1,64 @@
|
|||||||
|
suite: Init template
|
||||||
|
release:
|
||||||
|
name: gitea-unittests
|
||||||
|
namespace: testing
|
||||||
|
templates:
|
||||||
|
- templates/gitea/init.yaml
|
||||||
|
tests:
|
||||||
|
- it: runs gpg in batch mode
|
||||||
|
set:
|
||||||
|
signing.enabled: true
|
||||||
|
asserts:
|
||||||
|
- equal:
|
||||||
|
path: stringData.[configure_gpg_environment.sh]
|
||||||
|
value: |-
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
set -eu
|
||||||
|
|
||||||
|
gpg --batch --import /raw/private.asc
|
||||||
|
- it: skips gpg script block for disabled signing
|
||||||
|
asserts:
|
||||||
|
- equal:
|
||||||
|
path: stringData.[init_directory_structure.sh]
|
||||||
|
value: |-
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
set -x
|
||||||
|
chown 1000:1000 /data
|
||||||
|
mkdir -p /data/git/.ssh
|
||||||
|
chmod -R 700 /data/git/.ssh
|
||||||
|
[ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
|
||||||
|
|
||||||
|
# prepare temp directory structure
|
||||||
|
mkdir -p "${GITEA_TEMP}"
|
||||||
|
chown 1000:1000 "${GITEA_TEMP}"
|
||||||
|
chmod ug+rwx "${GITEA_TEMP}"
|
||||||
|
- it: adds gpg script block for enabled signing
|
||||||
|
set:
|
||||||
|
signing.enabled: true
|
||||||
|
asserts:
|
||||||
|
- equal:
|
||||||
|
path: stringData.[init_directory_structure.sh]
|
||||||
|
value: |-
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
set -x
|
||||||
|
chown 1000:1000 /data
|
||||||
|
mkdir -p /data/git/.ssh
|
||||||
|
chmod -R 700 /data/git/.ssh
|
||||||
|
[ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
|
||||||
|
|
||||||
|
# prepare temp directory structure
|
||||||
|
mkdir -p "${GITEA_TEMP}"
|
||||||
|
chown 1000:1000 "${GITEA_TEMP}"
|
||||||
|
chmod ug+rwx "${GITEA_TEMP}"
|
||||||
|
|
||||||
|
if [ ! -d "${GNUPGHOME}" ]; then
|
||||||
|
mkdir -p "${GNUPGHOME}"
|
||||||
|
chmod 700 "${GNUPGHOME}"
|
||||||
|
chown 1000:1000 "${GNUPGHOME}"
|
||||||
|
fi
|
17
unittests/statefulset/basic.yaml
Normal file
17
unittests/statefulset/basic.yaml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
suite: Statefulset template (basic)
|
||||||
|
release:
|
||||||
|
name: gitea-unittests
|
||||||
|
namespace: testing
|
||||||
|
templates:
|
||||||
|
- templates/gitea/statefulset.yaml
|
||||||
|
- templates/gitea/config.yaml
|
||||||
|
tests:
|
||||||
|
- it: renders a statefulset
|
||||||
|
template: templates/gitea/statefulset.yaml
|
||||||
|
asserts:
|
||||||
|
- hasDocuments:
|
||||||
|
count: 1
|
||||||
|
- containsDocument:
|
||||||
|
kind: StatefulSet
|
||||||
|
apiVersion: apps/v1
|
||||||
|
name: gitea-unittests
|
40
unittests/statefulset/signing-disabled.yaml
Normal file
40
unittests/statefulset/signing-disabled.yaml
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
suite: Statefulset template (signing disabled)
|
||||||
|
release:
|
||||||
|
name: gitea-unittests
|
||||||
|
namespace: testing
|
||||||
|
templates:
|
||||||
|
- templates/gitea/statefulset.yaml
|
||||||
|
- templates/gitea/config.yaml
|
||||||
|
tests:
|
||||||
|
- it: skips gpg init container
|
||||||
|
template: templates/gitea/statefulset.yaml
|
||||||
|
asserts:
|
||||||
|
- notContains:
|
||||||
|
path: spec.template.spec.initContainers
|
||||||
|
any: true
|
||||||
|
content:
|
||||||
|
name: configure-gpg
|
||||||
|
- it: skips gpg env in `init-directories` init container
|
||||||
|
template: templates/gitea/statefulset.yaml
|
||||||
|
set:
|
||||||
|
signing.enabled: true
|
||||||
|
asserts:
|
||||||
|
- contains:
|
||||||
|
path: spec.template.spec.initContainers[0].env
|
||||||
|
content:
|
||||||
|
name: GNUPGHOME
|
||||||
|
value: /data/git/.gnupg
|
||||||
|
- it: skips gpg env in runtime container
|
||||||
|
template: templates/gitea/statefulset.yaml
|
||||||
|
asserts:
|
||||||
|
- notContains:
|
||||||
|
path: spec.template.spec.containers[0].env
|
||||||
|
content:
|
||||||
|
name: GNUPGHOME
|
||||||
|
- it: skips gpg volume spec
|
||||||
|
template: templates/gitea/statefulset.yaml
|
||||||
|
asserts:
|
||||||
|
- notContains:
|
||||||
|
path: spec.template.spec.volumes
|
||||||
|
content:
|
||||||
|
name: gpg-private-key
|
93
unittests/statefulset/signing-enabled.yaml
Normal file
93
unittests/statefulset/signing-enabled.yaml
Normal file
@ -0,0 +1,93 @@
|
|||||||
|
suite: Statefulset template (signing enabled)
|
||||||
|
release:
|
||||||
|
name: gitea-unittests
|
||||||
|
namespace: testing
|
||||||
|
templates:
|
||||||
|
- templates/gitea/statefulset.yaml
|
||||||
|
- templates/gitea/config.yaml
|
||||||
|
tests:
|
||||||
|
- it: adds gpg init container
|
||||||
|
template: templates/gitea/statefulset.yaml
|
||||||
|
set:
|
||||||
|
signing:
|
||||||
|
enabled: true
|
||||||
|
existingSecret: "custom-gpg-secret"
|
||||||
|
asserts:
|
||||||
|
- equal:
|
||||||
|
path: spec.template.spec.initContainers[2].name
|
||||||
|
value: configure-gpg
|
||||||
|
- equal:
|
||||||
|
path: spec.template.spec.initContainers[2].command
|
||||||
|
value: ["/usr/sbin/configure_gpg_environment.sh"]
|
||||||
|
- equal:
|
||||||
|
path: spec.template.spec.initContainers[2].securityContext
|
||||||
|
value:
|
||||||
|
runAsUser: 1000
|
||||||
|
- equal:
|
||||||
|
path: spec.template.spec.initContainers[2].env
|
||||||
|
value:
|
||||||
|
- name: GNUPGHOME
|
||||||
|
value: /data/git/.gnupg
|
||||||
|
- equal:
|
||||||
|
path: spec.template.spec.initContainers[2].volumeMounts
|
||||||
|
value:
|
||||||
|
- name: init
|
||||||
|
mountPath: /usr/sbin
|
||||||
|
- name: data
|
||||||
|
mountPath: /data
|
||||||
|
- name: gpg-private-key
|
||||||
|
mountPath: /raw
|
||||||
|
readOnly: true
|
||||||
|
- it: adds gpg env in `init-directories` init container
|
||||||
|
template: templates/gitea/statefulset.yaml
|
||||||
|
set:
|
||||||
|
signing.enabled: true
|
||||||
|
asserts:
|
||||||
|
- contains:
|
||||||
|
path: spec.template.spec.initContainers[0].env
|
||||||
|
content:
|
||||||
|
name: GNUPGHOME
|
||||||
|
value: /data/git/.gnupg
|
||||||
|
- it: adds gpg env in runtime container
|
||||||
|
template: templates/gitea/statefulset.yaml
|
||||||
|
set:
|
||||||
|
signing.enabled: true
|
||||||
|
asserts:
|
||||||
|
- contains:
|
||||||
|
path: spec.template.spec.containers[0].env
|
||||||
|
content:
|
||||||
|
name: GNUPGHOME
|
||||||
|
value: /data/git/.gnupg
|
||||||
|
- it: adds gpg volume spec
|
||||||
|
template: templates/gitea/statefulset.yaml
|
||||||
|
set:
|
||||||
|
signing:
|
||||||
|
enabled: true
|
||||||
|
asserts:
|
||||||
|
- contains:
|
||||||
|
path: spec.template.spec.volumes
|
||||||
|
content:
|
||||||
|
name: gpg-private-key
|
||||||
|
secret:
|
||||||
|
secretName: gitea-unittests-gpg-key
|
||||||
|
items:
|
||||||
|
- key: privateKey
|
||||||
|
path: private.asc
|
||||||
|
defaultMode: 0100
|
||||||
|
- it: supports gpg volume spec with external reference
|
||||||
|
template: templates/gitea/statefulset.yaml
|
||||||
|
set:
|
||||||
|
signing:
|
||||||
|
enabled: true
|
||||||
|
existingSecret: custom-gpg-secret
|
||||||
|
asserts:
|
||||||
|
- contains:
|
||||||
|
path: spec.template.spec.volumes
|
||||||
|
content:
|
||||||
|
name: gpg-private-key
|
||||||
|
secret:
|
||||||
|
secretName: custom-gpg-secret
|
||||||
|
items:
|
||||||
|
- key: privateKey
|
||||||
|
path: private.asc
|
||||||
|
defaultMode: 0100
|
12
values.yaml
12
values.yaml
@ -63,7 +63,7 @@ containerSecurityContext: {}
|
|||||||
# runAsNonRoot: true
|
# runAsNonRoot: true
|
||||||
# runAsUser: 1000
|
# runAsUser: 1000
|
||||||
|
|
||||||
## @depracated The securityContext variable has been split two:
|
## @deprecated The securityContext variable has been split two:
|
||||||
## - containerSecurityContext
|
## - containerSecurityContext
|
||||||
## - podSecurityContext.
|
## - podSecurityContext.
|
||||||
## @param securityContext Run init and Gitea containers as a specific securityContext
|
## @param securityContext Run init and Gitea containers as a specific securityContext
|
||||||
@ -228,7 +228,7 @@ extraContainerVolumeMounts: []
|
|||||||
## @param extraInitVolumeMounts Mounts that are only mapped into the init-containers. Can be used for additional preconfiguration.
|
## @param extraInitVolumeMounts Mounts that are only mapped into the init-containers. Can be used for additional preconfiguration.
|
||||||
extraInitVolumeMounts: []
|
extraInitVolumeMounts: []
|
||||||
|
|
||||||
## @depracated The extraVolumeMounts variable has been split two:
|
## @deprecated The extraVolumeMounts variable has been split two:
|
||||||
## - extraContainerVolumeMounts
|
## - extraContainerVolumeMounts
|
||||||
## - extraInitVolumeMounts
|
## - extraInitVolumeMounts
|
||||||
## As an example, can be used to mount a client cert when connecting to an external Postgres server.
|
## As an example, can be used to mount a client cert when connecting to an external Postgres server.
|
||||||
@ -253,9 +253,17 @@ initPreScript: ""
|
|||||||
#
|
#
|
||||||
## @param signing.enabled Enable commit/action signing
|
## @param signing.enabled Enable commit/action signing
|
||||||
## @param signing.gpgHome GPG home directory
|
## @param signing.gpgHome GPG home directory
|
||||||
|
## @param signing.privateKey Inline private gpg key for signed Gitea actions
|
||||||
|
## @param signing.existingSecret Use an existing secret to store the value of `signing.privateKey`
|
||||||
signing:
|
signing:
|
||||||
enabled: false
|
enabled: false
|
||||||
gpgHome: /data/git/.gnupg
|
gpgHome: /data/git/.gnupg
|
||||||
|
privateKey: ""
|
||||||
|
# privateKey: |-
|
||||||
|
# -----BEGIN PGP PRIVATE KEY BLOCK-----
|
||||||
|
# ...
|
||||||
|
# -----END PGP PRIVATE KEY BLOCK-----
|
||||||
|
existingSecret: ""
|
||||||
|
|
||||||
## @section Gitea
|
## @section Gitea
|
||||||
#
|
#
|
||||||
|
Reference in New Issue
Block a user