From 1f95ae962c66830bc093391e44d4acbcd9afc6dc Mon Sep 17 00:00:00 2001 From: luhahn Date: Fri, 25 Sep 2020 13:37:55 +0000 Subject: [PATCH] Move all password related data to secrets (#28) Bump Chart version Move all password related data to secrets Co-authored-by: Lucas Hahn Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/28 Reviewed-by: techknowlogick Reviewed-by: Lunny Xiao --- Chart.yaml | 2 +- templates/gitea/config.yaml | 5 +-- templates/gitea/init.yaml | 57 +++++++++++++++++++++++++++++ templates/gitea/statefulset.yaml | 62 +++++--------------------------- 4 files changed, 70 insertions(+), 56 deletions(-) create mode 100644 templates/gitea/init.yaml diff --git a/Chart.yaml b/Chart.yaml index 0cc986b..a4ff59b 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: gitea description: Gitea Helm chart for Kubernetes type: application -version: 1.4.9 +version: 1.5.0 appVersion: 1.12.4 icon: https://docs.gitea.io/images/gitea.png diff --git a/templates/gitea/config.yaml b/templates/gitea/config.yaml index b882920..79e5343 100644 --- a/templates/gitea/config.yaml +++ b/templates/gitea/config.yaml @@ -1,10 +1,11 @@ apiVersion: v1 -kind: ConfigMap +kind: Secret metadata: name: {{ include "gitea.fullname" . }} labels: {{- include "gitea.labels" . | nindent 4 }} -data: +type: Opaque +stringData: app.ini: |- {{- if not (hasKey .Values.gitea.config "cache") -}} {{- $_ := set .Values.gitea.config "cache" dict -}} diff --git a/templates/gitea/init.yaml b/templates/gitea/init.yaml new file mode 100644 index 0000000..7d8e12f --- /dev/null +++ b/templates/gitea/init.yaml @@ -0,0 +1,57 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "gitea.fullname" . }}-init + labels: + {{- include "gitea.labels" . | nindent 4 }} +type: Opaque +stringData: + init_gitea.sh: |- + #!/bin/bash + mkdir -p /data/git/.ssh + chmod -R 700 /data/git/.ssh + mkdir -p /data/gitea/conf + cp /etc/gitea/conf/app.ini /data/gitea/conf/app.ini + chmod a+rwx /data/gitea/conf/app.ini + nc -v -w2 -z {{ include "db.servicename" . }} {{ include "db.port" . }} && \ + su git -c ' \ + set -x; \ + gitea migrate; \ + {{- if and .Values.gitea.admin.username .Values.gitea.admin.password }} + gitea admin create-user --username {{ .Values.gitea.admin.username }} --password '{{ .Values.gitea.admin.password }}' --email {{ .Values.gitea.admin.email }} --admin \ + || \ + gitea admin change-password --username {{ .Values.gitea.admin.username }} --password '{{ .Values.gitea.admin.password }}'; \ + {{- end }} + {{- if .Values.gitea.ldap.enabled }} + gitea admin auth add-ldap \ + --name {{ .Values.gitea.ldap.name | quote }} \ + --security-protocol {{ .Values.gitea.ldap.securityProtocol | quote }} \ + --host {{ .Values.gitea.ldap.host | quote }} \ + --port {{ .Values.gitea.ldap.port | int}} \ + --user-search-base {{ .Values.gitea.ldap.userSearchBase | quote }} \ + --user-filter {{ .Values.gitea.ldap.userFilter | quote }} \ + --admin-filter {{ .Values.gitea.ldap.adminFilter | quote }} \ + --email-attribute {{ .Values.gitea.ldap.emailAttribute | quote }} \ + --bind-dn {{ .Values.gitea.ldap.bindDn | quote }} \ + --bind-password {{ .Values.gitea.ldap.bindPassword | quote }} \ + --synchronize-users \ + --username-attribute {{ .Values.gitea.ldap.usernameAttribute | quote }} \ + || \ + ( \ + export GITEA_AUTH_ID=$(gitea admin auth list | grep {{ .Values.gitea.ldap.name | quote }} | awk -F " " "{print \$1}"); \ + gitea admin auth update-ldap --id ${GITEA_AUTH_ID} \ + --name {{ .Values.gitea.ldap.name | quote }} \ + --security-protocol {{ .Values.gitea.ldap.securityProtocol | quote }} \ + --host {{ .Values.gitea.ldap.host | quote }} \ + --port {{ .Values.gitea.ldap.port | int}} \ + --user-search-base {{ .Values.gitea.ldap.userSearchBase | quote }} \ + --user-filter {{ .Values.gitea.ldap.userFilter | quote }} \ + --admin-filter {{ .Values.gitea.ldap.adminFilter | quote }} \ + --email-attribute {{ .Values.gitea.ldap.emailAttribute | quote }} \ + --bind-dn {{ .Values.gitea.ldap.bindDn | quote }} \ + --bind-password {{ .Values.gitea.ldap.bindPassword | quote }} \ + --synchronize-users \ + --username-attribute {{ .Values.gitea.ldap.usernameAttribute | quote }} \ + ) \ + {{- end }} + ' \ No newline at end of file diff --git a/templates/gitea/statefulset.yaml b/templates/gitea/statefulset.yaml index e164074..3ad67b8 100644 --- a/templates/gitea/statefulset.yaml +++ b/templates/gitea/statefulset.yaml @@ -25,58 +25,10 @@ spec: initContainers: - name: init image: "{{ .Values.image.repository }}:{{ .Values.image.version }}" - env: - - name: SCRIPT - value: &script |- - mkdir -p /data/git/.ssh - chmod -R 700 /data/git/.ssh - mkdir -p /data/gitea/conf - cp /etc/gitea/conf/app.ini /data/gitea/conf/app.ini - chmod a+rwx /data/gitea/conf/app.ini - nc -v -w2 -z {{ include "db.servicename" . }} {{ include "db.port" . }} && \ - su git -c ' \ - set -x; \ - gitea migrate; \ - {{- if and .Values.gitea.admin.username .Values.gitea.admin.password }} - gitea admin create-user --username {{ .Values.gitea.admin.username }} --password '{{ .Values.gitea.admin.password }}' --email {{ .Values.gitea.admin.email }} --admin \ - || \ - gitea admin change-password --username {{ .Values.gitea.admin.username }} --password '{{ .Values.gitea.admin.password }}'; \ - {{- end }} - {{- if .Values.gitea.ldap.enabled }} - gitea admin auth add-ldap \ - --name {{ .Values.gitea.ldap.name | quote }} \ - --security-protocol {{ .Values.gitea.ldap.securityProtocol | quote }} \ - --host {{ .Values.gitea.ldap.host | quote }} \ - --port {{ .Values.gitea.ldap.port | int}} \ - --user-search-base {{ .Values.gitea.ldap.userSearchBase | quote }} \ - --user-filter {{ .Values.gitea.ldap.userFilter | quote }} \ - --admin-filter {{ .Values.gitea.ldap.adminFilter | quote }} \ - --email-attribute {{ .Values.gitea.ldap.emailAttribute | quote }} \ - --bind-dn {{ .Values.gitea.ldap.bindDn | quote }} \ - --bind-password {{ .Values.gitea.ldap.bindPassword | quote }} \ - --synchronize-users \ - --username-attribute {{ .Values.gitea.ldap.usernameAttribute | quote }} \ - || \ - ( \ - export GITEA_AUTH_ID=$(gitea admin auth list | grep {{ .Values.gitea.ldap.name | quote }} | awk -F " " "{print \$1}"); \ - gitea admin auth update-ldap --id ${GITEA_AUTH_ID} \ - --name {{ .Values.gitea.ldap.name | quote }} \ - --security-protocol {{ .Values.gitea.ldap.securityProtocol | quote }} \ - --host {{ .Values.gitea.ldap.host | quote }} \ - --port {{ .Values.gitea.ldap.port | int}} \ - --user-search-base {{ .Values.gitea.ldap.userSearchBase | quote }} \ - --user-filter {{ .Values.gitea.ldap.userFilter | quote }} \ - --admin-filter {{ .Values.gitea.ldap.adminFilter | quote }} \ - --email-attribute {{ .Values.gitea.ldap.emailAttribute | quote }} \ - --bind-dn {{ .Values.gitea.ldap.bindDn | quote }} \ - --bind-password {{ .Values.gitea.ldap.bindPassword | quote }} \ - --synchronize-users \ - --username-attribute {{ .Values.gitea.ldap.usernameAttribute | quote }} \ - ) \ - {{- end }} - ' - command: ["/bin/sh",'-c', *script] + command: ["/usr/sbin/init_gitea.sh"] volumeMounts: + - name: init + mountPath: /usr/sbin - name: config mountPath: /etc/gitea/conf - name: data @@ -134,9 +86,13 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} volumes: + - name: init + secret: + secretName: {{ include "gitea.fullname" . }}-init + defaultMode: 0777 - name: config - configMap: - name: {{ include "gitea.fullname" . }} + secret: + secretName: {{ include "gitea.fullname" . }} {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }} - name: data persistentVolumeClaim: