From 57479bdf37807b4645da7a62d2f0a955adcfb7d6 Mon Sep 17 00:00:00 2001
From: petergardfjall <petergardfjall@noreply.gitea.io>
Date: Wed, 20 Jan 2021 19:28:39 +0800
Subject: [PATCH] enhancements to support postgres client-cert authentication
 (#47)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR adds a few new chart features which adds to the flexibility of the chart.

- allow extra volumes to be mounted (such as secrets): 2f862c5a48
- pass environment variables also to the init-container: 7044049478
- allow a preparation script to be "injected" into the init-container: 6125a69345

As a concrete example of how this can be used, I use is to configure Gitea to use client certificate authentication against an external Postgres database. That could be accomplished by having a `gitea-postgres-ssl` secret:

```
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: gitea-postgres-ssl
data:
  postgresql.crt: <base64...>
  postgresql.key: <base64...>
  root.crt: <base64...>
```

and then mounting this as a volume in Gitea using:

```
extraVolumes:
- name: postgres-ssl-vol
  secret:
    secretName: gitea-postgres-ssl

extraVolumeMounts:
- name: postgres-ssl-vol
  readOnly: true
  mountPath: "/pg-ssl"
```

To get the right permissions on the credentials, we'd use the `initPreScript`:

```
initPreScript: |
  # copy postgres client and CA cert from mount and
  # give proper permissions
  mkdir -p /data/git/.postgresql
  cp /pg-ssl/* /data/git/.postgresql/
  chown -R git:git /data/git/.postgresql/
  chmod 400 /data/git/.postgresql/postgresql.key
```

and to make sure that Gitea uses the certificate we need to pass the proper postgres environment variables (both to the init container and the "main" container):

```
statefulset:
  env:
  - name:  "PGSSLCERT"
    value: "/data/git/.postgresql/postgresql.crt"
  - name:  "PGSSLKEY"
    value: "/data/git/.postgresql/postgresql.key"
  - name:  "PGSSLROOTCERT"
    value: "/data/git/.postgresql/root.crt"
```

Co-authored-by: Peter Gardfjäll <peter.gardfjall.work@gmail.com>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/47
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: 6543 <6543@obermui.de>
Co-authored-by: petergardfjall <petergardfjall@noreply.gitea.io>
Co-committed-by: petergardfjall <petergardfjall@noreply.gitea.io>
---
 README.md                        | 11 +++++++----
 templates/gitea/init.yaml        | 10 +++++++++-
 templates/gitea/statefulset.yaml | 14 ++++++++++++++
 values.yaml                      | 31 ++++++++++++++++++++++++++++---
 4 files changed, 58 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 07ad24c..ab7191a 100644
--- a/README.md
+++ b/README.md
@@ -291,10 +291,13 @@ Annotations can be added to the Gitea pod.
 
 ### Others
 
-| Parameter           | Description                       | Default                      |
-|---------------------|-----------------------------------|------------------------------|
-|statefulset.terminationGracePeriodSeconds| Image to start for this pod | gitea/gitea |
-|statefulset.env           | Additional environment variables to pass to containers | [] |
+| Parameter                                 | Description                                            | Default     |
+|-------------------------------------------|--------------------------------------------------------|-------------|
+| statefulset.terminationGracePeriodSeconds | Image to start for this pod                            | gitea/gitea |
+| statefulset.env                           | Additional environment variables to pass to containers | []          |
+| extraVolumes                              | Additional volumes to mount to the Gitea statefulset   | {}          |
+| extraVolumeMounts                         | Additional volumes mounts for the Gitea containers     | {}          |
+| initPreScript                             | Bash script copied verbatim to start of init container |             |
 
 ### Image
 
diff --git a/templates/gitea/init.yaml b/templates/gitea/init.yaml
index fd60719..79c2a00 100644
--- a/templates/gitea/init.yaml
+++ b/templates/gitea/init.yaml
@@ -8,6 +8,14 @@ type: Opaque
 stringData:
   init_gitea.sh: |-
     #!/bin/bash
+    {{- if .Values.initPreScript }}
+    # BEGIN: initPreScript
+    {{- with .Values.initPreScript -}}
+    {{ . | nindent 4}}
+    {{- end -}}
+    # END: initPreScript
+    {{- end }}
+
     mkdir -p /data/git/.ssh
     chmod -R 700 /data/git/.ssh
     mkdir -p /data/gitea/conf
@@ -32,4 +40,4 @@ stringData:
       {{- include "gitea.ldap_settings" . | nindent 6 }} \
     ) \
     {{- end }}
-    '
\ No newline at end of file
+    '
diff --git a/templates/gitea/statefulset.yaml b/templates/gitea/statefulset.yaml
index bf41b3b..dff1400 100644
--- a/templates/gitea/statefulset.yaml
+++ b/templates/gitea/statefulset.yaml
@@ -31,6 +31,11 @@ spec:
         - name: init
           image: "{{ .Values.image.repository }}:{{ ternary .Values.image.version .Values.image.tag (hasKey .Values.image "version") }}"
           command: ["/usr/sbin/init_gitea.sh"]
+          env:
+          {{- range .Values.statefulset.env }}
+          - name: {{ .name | quote | nospace }}
+            value: {{ .value | quote }}
+          {{- end }}
           volumeMounts:
             - name: init
               mountPath: /usr/sbin
@@ -38,6 +43,9 @@ spec:
               mountPath: /etc/gitea/conf
             - name: data
               mountPath: /data
+            {{- if .Values.extraVolumeMounts }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- end }}
       terminationGracePeriodSeconds: {{ .Values.statefulset.terminationGracePeriodSeconds }}
       containers:
         - name: {{ .Chart.Name }}
@@ -78,6 +86,9 @@ spec:
           volumeMounts:
             - name: data
               mountPath: /data
+            {{- if .Values.extraVolumeMounts }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -98,6 +109,9 @@ spec:
         - name: config
           secret:
             secretName: {{ include "gitea.fullname" . }}
+        {{- if .Values.extraVolumes }}
+        {{- toYaml .Values.extraVolumes | nindent 8 }}
+        {{- end }}
   {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
         - name: data
           persistentVolumeClaim:
diff --git a/values.yaml b/values.yaml
index 98c7a63..760c23e 100644
--- a/values.yaml
+++ b/values.yaml
@@ -69,11 +69,36 @@ statefulset:
 
 persistence:
   enabled: true
-  # existingClaim: 
+  # existingClaim:
   size: 10Gi
   accessModes:
     - ReadWriteOnce
 
+# additional volumes to add to the Gitea statefulset.
+extraVolumes:
+# - name: postgres-ssl-vol
+#   secret:
+#     secretName: gitea-postgres-ssl
+
+
+# additional volumes to mount, both to the init container and to the main
+# container. As an example, can be used to mount a client cert when connecting
+# to an external Postgres server.
+extraVolumeMounts:
+# - name: postgres-ssl-vol
+#   readOnly: true
+#   mountPath: "/pg-ssl"
+
+# bash shell script copied verbatim to the start of the init-container.
+initPreScript: ""
+#
+# initPreScript: |
+#   mkdir -p /data/git/.postgresql
+#   cp /pg-ssl/* /data/git/.postgresql/
+#   chown -R git:git /data/git/.postgresql/
+#   chmod 400 /data/git/.postgresql/postgresql.key
+
+
 gitea:
   admin:
     username: gitea_admin
@@ -96,8 +121,8 @@ gitea:
 
   config: {}
   #  APP_NAME: "Gitea: Git with a cup of tea"
-  #  RUN_MODE: dev   
-  #   
+  #  RUN_MODE: dev
+  #
   #  server:
   #    SSH_PORT: 22
   #