marko/Gitea-HelmChart
1
0
Fork 0
mirror of https://gitea.com/gitea/helm-chart.git synced 2024-07-04 23:34:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

enhancements to support postgres client-cert authentication (#47)

Browse Source 
This PR adds a few new chart features which adds to the flexibility of the chart.

- allow extra volumes to be mounted (such as secrets): 2f862c5a48
- pass environment variables also to the init-container: 7044049478
- allow a preparation script to be "injected" into the init-container: 6125a69345

As a concrete example of how this can be used, I use is to configure Gitea to use client certificate authentication against an external Postgres database. That could be accomplished by having a `gitea-postgres-ssl` secret:

```
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: gitea-postgres-ssl
data:
  postgresql.crt: <base64...>
  postgresql.key: <base64...>
  root.crt: <base64...>
```

and then mounting this as a volume in Gitea using:

```
extraVolumes:
- name: postgres-ssl-vol
  secret:
    secretName: gitea-postgres-ssl

extraVolumeMounts:
- name: postgres-ssl-vol
  readOnly: true
  mountPath: "/pg-ssl"
```

To get the right permissions on the credentials, we'd use the `initPreScript`:

```
initPreScript: |
  # copy postgres client and CA cert from mount and
  # give proper permissions
  mkdir -p /data/git/.postgresql
  cp /pg-ssl/* /data/git/.postgresql/
  chown -R git:git /data/git/.postgresql/
  chmod 400 /data/git/.postgresql/postgresql.key
```

and to make sure that Gitea uses the certificate we need to pass the proper postgres environment variables (both to the init container and the "main" container):

```
statefulset:
  env:
  - name:  "PGSSLCERT"
    value: "/data/git/.postgresql/postgresql.crt"
  - name:  "PGSSLKEY"
    value: "/data/git/.postgresql/postgresql.key"
  - name:  "PGSSLROOTCERT"
    value: "/data/git/.postgresql/root.crt"
```

Co-authored-by: Peter Gardfjäll <peter.gardfjall.work@gmail.com>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/47
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: 6543 <6543@obermui.de>
Co-authored-by: petergardfjall <petergardfjall@noreply.gitea.io>
Co-committed-by: petergardfjall <petergardfjall@noreply.gitea.io>
This commit is contained in:
petergardfjall 2021-01-20 19:28:39 +08:00 committed by luhahn
parent 0c8f226f1f
commit 57479bdf37
4 changed files with 58 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
README.md
View File

@ -291,10 +291,13 @@ Annotations can be added to the Gitea pod.
### Others ### Others
| Parameter | Description | Default | | Parameter | Description | Default |
|---------------------|-----------------------------------|------------------------------| |-------------------------------------------|--------------------------------------------------------|-------------|
|statefulset.terminationGracePeriodSeconds| Image to start for this pod | gitea/gitea | | statefulset.terminationGracePeriodSeconds | Image to start for this pod | gitea/gitea |
|statefulset.env | Additional environment variables to pass to containers | [] | | statefulset.env | Additional environment variables to pass to containers | [] |
| extraVolumes | Additional volumes to mount to the Gitea statefulset | {} |
| extraVolumeMounts | Additional volumes mounts for the Gitea containers | {} |
| initPreScript | Bash script copied verbatim to start of init container | |
### Image ### Image

10
templates/gitea/init.yaml
View File

@ -8,6 +8,14 @@ type: Opaque
stringData: stringData:
init_gitea.sh: |- init_gitea.sh: |-
#!/bin/bash #!/bin/bash
{{- if .Values.initPreScript }}
# BEGIN: initPreScript
{{- with .Values.initPreScript -}}
{{ . | nindent 4}}
{{- end -}}
# END: initPreScript
{{- end }}
mkdir -p /data/git/.ssh mkdir -p /data/git/.ssh
chmod -R 700 /data/git/.ssh chmod -R 700 /data/git/.ssh
mkdir -p /data/gitea/conf mkdir -p /data/gitea/conf
@ -32,4 +40,4 @@ stringData:
{{- include "gitea.ldap_settings" . | nindent 6 }} \ {{- include "gitea.ldap_settings" . | nindent 6 }} \
) \ ) \
{{- end }} {{- end }}
' '

14
templates/gitea/statefulset.yaml
View File

@ -31,6 +31,11 @@ spec:
- name: init - name: init
image: "{{ .Values.image.repository }}:{{ ternary .Values.image.version .Values.image.tag (hasKey .Values.image "version") }}" image: "{{ .Values.image.repository }}:{{ ternary .Values.image.version .Values.image.tag (hasKey .Values.image "version") }}"
command: ["/usr/sbin/init_gitea.sh"] command: ["/usr/sbin/init_gitea.sh"]
env:
{{- range .Values.statefulset.env }}
- name: {{ .name | quote | nospace }}
value: {{ .value | quote }}
{{- end }}
volumeMounts: volumeMounts:
- name: init - name: init
mountPath: /usr/sbin mountPath: /usr/sbin
@ -38,6 +43,9 @@ spec:
mountPath: /etc/gitea/conf mountPath: /etc/gitea/conf
- name: data - name: data
mountPath: /data mountPath: /data
{{- if .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.statefulset.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.statefulset.terminationGracePeriodSeconds }}
containers: containers:
- name: {{ .Chart.Name }} - name: {{ .Chart.Name }}
@ -78,6 +86,9 @@ spec:
volumeMounts: volumeMounts:
- name: data - name: data
mountPath: /data mountPath: /data
{{- if .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
{{- end }}
{{- with .Values.nodeSelector }} {{- with .Values.nodeSelector }}
nodeSelector: nodeSelector:
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}
@ -98,6 +109,9 @@ spec:
- name: config - name: config
secret: secret:
secretName: {{ include "gitea.fullname" . }} secretName: {{ include "gitea.fullname" . }}
{{- if .Values.extraVolumes }}
{{- toYaml .Values.extraVolumes | nindent 8 }}
{{- end }}
{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }} {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
- name: data - name: data
persistentVolumeClaim: persistentVolumeClaim:

31
values.yaml
View File

@ -69,11 +69,36 @@ statefulset:
persistence: persistence:
enabled: true enabled: true
# existingClaim: # existingClaim:
size: 10Gi size: 10Gi
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
# additional volumes to add to the Gitea statefulset.
extraVolumes:
# - name: postgres-ssl-vol
# secret:
# secretName: gitea-postgres-ssl
# additional volumes to mount, both to the init container and to the main
# container. As an example, can be used to mount a client cert when connecting
# to an external Postgres server.
extraVolumeMounts:
# - name: postgres-ssl-vol
# readOnly: true
# mountPath: "/pg-ssl"
# bash shell script copied verbatim to the start of the init-container.
initPreScript: ""
#
# initPreScript: |
# mkdir -p /data/git/.postgresql
# cp /pg-ssl/* /data/git/.postgresql/
# chown -R git:git /data/git/.postgresql/
# chmod 400 /data/git/.postgresql/postgresql.key
gitea: gitea:
admin: admin:
username: gitea_admin username: gitea_admin
@ -96,8 +121,8 @@ gitea:
config: {} config: {}
# APP_NAME: "Gitea: Git with a cup of tea" # APP_NAME: "Gitea: Git with a cup of tea"
# RUN_MODE: dev # RUN_MODE: dev
# #
# server: # server:
# SSH_PORT: 22 # SSH_PORT: 22
# #