mirror of
https://gitea.com/gitea/helm-chart.git
synced 2024-07-04 23:34:12 +02:00
enhancements to support postgres client-cert authentication (#47)
This PR adds a few new chart features which adds to the flexibility of the chart. - allow extra volumes to be mounted (such as secrets): 2f862c5a48 - pass environment variables also to the init-container: 7044049478 - allow a preparation script to be "injected" into the init-container: 6125a69345 As a concrete example of how this can be used, I use is to configure Gitea to use client certificate authentication against an external Postgres database. That could be accomplished by having a `gitea-postgres-ssl` secret: ``` apiVersion: v1 kind: Secret type: Opaque metadata: name: gitea-postgres-ssl data: postgresql.crt: <base64...> postgresql.key: <base64...> root.crt: <base64...> ``` and then mounting this as a volume in Gitea using: ``` extraVolumes: - name: postgres-ssl-vol secret: secretName: gitea-postgres-ssl extraVolumeMounts: - name: postgres-ssl-vol readOnly: true mountPath: "/pg-ssl" ``` To get the right permissions on the credentials, we'd use the `initPreScript`: ``` initPreScript: | # copy postgres client and CA cert from mount and # give proper permissions mkdir -p /data/git/.postgresql cp /pg-ssl/* /data/git/.postgresql/ chown -R git:git /data/git/.postgresql/ chmod 400 /data/git/.postgresql/postgresql.key ``` and to make sure that Gitea uses the certificate we need to pass the proper postgres environment variables (both to the init container and the "main" container): ``` statefulset: env: - name: "PGSSLCERT" value: "/data/git/.postgresql/postgresql.crt" - name: "PGSSLKEY" value: "/data/git/.postgresql/postgresql.key" - name: "PGSSLROOTCERT" value: "/data/git/.postgresql/root.crt" ``` Co-authored-by: Peter Gardfjäll <peter.gardfjall.work@gmail.com> Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/47 Reviewed-by: luhahn <luhahn@noreply.gitea.io> Reviewed-by: 6543 <6543@obermui.de> Co-authored-by: petergardfjall <petergardfjall@noreply.gitea.io> Co-committed-by: petergardfjall <petergardfjall@noreply.gitea.io>
This commit is contained in:
parent
0c8f226f1f
commit
57479bdf37
11
README.md
11
README.md
@ -291,10 +291,13 @@ Annotations can be added to the Gitea pod.
|
|||||||
|
|
||||||
### Others
|
### Others
|
||||||
|
|
||||||
| Parameter | Description | Default |
|
| Parameter | Description | Default |
|
||||||
|---------------------|-----------------------------------|------------------------------|
|
|-------------------------------------------|--------------------------------------------------------|-------------|
|
||||||
|statefulset.terminationGracePeriodSeconds| Image to start for this pod | gitea/gitea |
|
| statefulset.terminationGracePeriodSeconds | Image to start for this pod | gitea/gitea |
|
||||||
|statefulset.env | Additional environment variables to pass to containers | [] |
|
| statefulset.env | Additional environment variables to pass to containers | [] |
|
||||||
|
| extraVolumes | Additional volumes to mount to the Gitea statefulset | {} |
|
||||||
|
| extraVolumeMounts | Additional volumes mounts for the Gitea containers | {} |
|
||||||
|
| initPreScript | Bash script copied verbatim to start of init container | |
|
||||||
|
|
||||||
### Image
|
### Image
|
||||||
|
|
||||||
|
@ -8,6 +8,14 @@ type: Opaque
|
|||||||
stringData:
|
stringData:
|
||||||
init_gitea.sh: |-
|
init_gitea.sh: |-
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
{{- if .Values.initPreScript }}
|
||||||
|
# BEGIN: initPreScript
|
||||||
|
{{- with .Values.initPreScript -}}
|
||||||
|
{{ . | nindent 4}}
|
||||||
|
{{- end -}}
|
||||||
|
# END: initPreScript
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
mkdir -p /data/git/.ssh
|
mkdir -p /data/git/.ssh
|
||||||
chmod -R 700 /data/git/.ssh
|
chmod -R 700 /data/git/.ssh
|
||||||
mkdir -p /data/gitea/conf
|
mkdir -p /data/gitea/conf
|
||||||
@ -32,4 +40,4 @@ stringData:
|
|||||||
{{- include "gitea.ldap_settings" . | nindent 6 }} \
|
{{- include "gitea.ldap_settings" . | nindent 6 }} \
|
||||||
) \
|
) \
|
||||||
{{- end }}
|
{{- end }}
|
||||||
'
|
'
|
||||||
|
@ -31,6 +31,11 @@ spec:
|
|||||||
- name: init
|
- name: init
|
||||||
image: "{{ .Values.image.repository }}:{{ ternary .Values.image.version .Values.image.tag (hasKey .Values.image "version") }}"
|
image: "{{ .Values.image.repository }}:{{ ternary .Values.image.version .Values.image.tag (hasKey .Values.image "version") }}"
|
||||||
command: ["/usr/sbin/init_gitea.sh"]
|
command: ["/usr/sbin/init_gitea.sh"]
|
||||||
|
env:
|
||||||
|
{{- range .Values.statefulset.env }}
|
||||||
|
- name: {{ .name | quote | nospace }}
|
||||||
|
value: {{ .value | quote }}
|
||||||
|
{{- end }}
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: init
|
- name: init
|
||||||
mountPath: /usr/sbin
|
mountPath: /usr/sbin
|
||||||
@ -38,6 +43,9 @@ spec:
|
|||||||
mountPath: /etc/gitea/conf
|
mountPath: /etc/gitea/conf
|
||||||
- name: data
|
- name: data
|
||||||
mountPath: /data
|
mountPath: /data
|
||||||
|
{{- if .Values.extraVolumeMounts }}
|
||||||
|
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
terminationGracePeriodSeconds: {{ .Values.statefulset.terminationGracePeriodSeconds }}
|
terminationGracePeriodSeconds: {{ .Values.statefulset.terminationGracePeriodSeconds }}
|
||||||
containers:
|
containers:
|
||||||
- name: {{ .Chart.Name }}
|
- name: {{ .Chart.Name }}
|
||||||
@ -78,6 +86,9 @@ spec:
|
|||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: data
|
- name: data
|
||||||
mountPath: /data
|
mountPath: /data
|
||||||
|
{{- if .Values.extraVolumeMounts }}
|
||||||
|
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
{{- with .Values.nodeSelector }}
|
{{- with .Values.nodeSelector }}
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{- toYaml . | nindent 8 }}
|
{{- toYaml . | nindent 8 }}
|
||||||
@ -98,6 +109,9 @@ spec:
|
|||||||
- name: config
|
- name: config
|
||||||
secret:
|
secret:
|
||||||
secretName: {{ include "gitea.fullname" . }}
|
secretName: {{ include "gitea.fullname" . }}
|
||||||
|
{{- if .Values.extraVolumes }}
|
||||||
|
{{- toYaml .Values.extraVolumes | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
|
{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
|
||||||
- name: data
|
- name: data
|
||||||
persistentVolumeClaim:
|
persistentVolumeClaim:
|
||||||
|
31
values.yaml
31
values.yaml
@ -69,11 +69,36 @@ statefulset:
|
|||||||
|
|
||||||
persistence:
|
persistence:
|
||||||
enabled: true
|
enabled: true
|
||||||
# existingClaim:
|
# existingClaim:
|
||||||
size: 10Gi
|
size: 10Gi
|
||||||
accessModes:
|
accessModes:
|
||||||
- ReadWriteOnce
|
- ReadWriteOnce
|
||||||
|
|
||||||
|
# additional volumes to add to the Gitea statefulset.
|
||||||
|
extraVolumes:
|
||||||
|
# - name: postgres-ssl-vol
|
||||||
|
# secret:
|
||||||
|
# secretName: gitea-postgres-ssl
|
||||||
|
|
||||||
|
|
||||||
|
# additional volumes to mount, both to the init container and to the main
|
||||||
|
# container. As an example, can be used to mount a client cert when connecting
|
||||||
|
# to an external Postgres server.
|
||||||
|
extraVolumeMounts:
|
||||||
|
# - name: postgres-ssl-vol
|
||||||
|
# readOnly: true
|
||||||
|
# mountPath: "/pg-ssl"
|
||||||
|
|
||||||
|
# bash shell script copied verbatim to the start of the init-container.
|
||||||
|
initPreScript: ""
|
||||||
|
#
|
||||||
|
# initPreScript: |
|
||||||
|
# mkdir -p /data/git/.postgresql
|
||||||
|
# cp /pg-ssl/* /data/git/.postgresql/
|
||||||
|
# chown -R git:git /data/git/.postgresql/
|
||||||
|
# chmod 400 /data/git/.postgresql/postgresql.key
|
||||||
|
|
||||||
|
|
||||||
gitea:
|
gitea:
|
||||||
admin:
|
admin:
|
||||||
username: gitea_admin
|
username: gitea_admin
|
||||||
@ -96,8 +121,8 @@ gitea:
|
|||||||
|
|
||||||
config: {}
|
config: {}
|
||||||
# APP_NAME: "Gitea: Git with a cup of tea"
|
# APP_NAME: "Gitea: Git with a cup of tea"
|
||||||
# RUN_MODE: dev
|
# RUN_MODE: dev
|
||||||
#
|
#
|
||||||
# server:
|
# server:
|
||||||
# SSH_PORT: 22
|
# SSH_PORT: 22
|
||||||
#
|
#
|
||||||
|
Loading…
Reference in New Issue
Block a user